Note: The third part of the miniseries, which focuses on Windows Hello for Business with the deployment of Cloud Kerberos Trust in a hybrid environment with Hybrid Azure AD Joined devices.
Provisioning Windows Hello for Business
Conditions for Correct Registration
To register Windows Hello for Business, several conditions must be met:
Note: We consider a hybrid environment.
- we log in directly to the device (not remotely) and the configuration (policy) for Windows Hello Provisioning is applied
- we have functional network communication to Microsoft (Azure AD)
- we have functional communication to the domain controller (if we use Group Policy and for the first login)
- we have multi-factor authentication (MFA) set up
- functional TPM chip (if required)
- minimum version of Windows 10 21h2 (with KB5010415 installed) or Windows 11 21h2 (with KB5010414 installed)
Verification of Prerequisites and Logs on the Device
If the conditions are met, the Provisioning process (registration) of Windows Hello for Business starts immediately after the user logs in. At the moment when the profile is loaded, but before the user gets their desktop, they are prompted to set up Windows Hello. The basic condition is to enable Windows Hello for Business (with Provisioning enabled). For the registration initialization to proceed, the device must have access to account.microsoft.com
.
Information about registration and prerequisite check can be found in the log on the client. Using Event Viewer, open
Applications and Services Logs - Microsoft - Windows - User Device Registration - Admin
We can search for the event Event ID 358, which may look like this.
Windows Hello for Business provisioning will be launched. Device is AAD joined ( AADJ or DJ++ ): Yes User has logged on with AAD credentials: Yes Windows Hello for Business policy is enabled: Yes Windows Hello for Business post-logon provisioning is enabled: Yes Local computer meets Windows hello for business hardware requirements: Yes User is not connected to the machine via Remote Desktop: Yes User certificate for on premise auth policy is enabled: No Machine is governed by none policy. Cloud trust for on premise auth policy is enabled: Yes User account has Cloud TGT: Yes
Various information is also displayed by the command dsregcmd /status
(help dsregcmd). In the User State section, there is an item NgcSet
, if it is YES, it means that the logged-in user has a set Windows Hello key (there is also an item CanReset
, which informs about the possibilities of PIN reset).
If the device does not have Windows Hello For Business registered, there is a whole section Ngc Prerequisite Check
, which displays information about the prerequisite check. NGC stands for Next Generation Credential.
C:\>dsregcmd /status +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES EnterpriseJoined : NO DomainJoined : YES DomainName : FIRMA Device Name : test.firma.local ... +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO ... +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsDeviceJoined : YES IsUserAzureAD : YES PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : YES SessionIsNotRemote : YES CertEnrollment : none PreReqResult : WillNotProvision
We can verify if we have obtained a partial TGT from Azure AD.
C:\>klist cloud_debug Current LogonId is 0:0xd1631 Cloud Kerberos Debug info: Cloud Kerberos enabled by policy: 0 AS_REP callback received: 1 AS_REP callback used: 1 Cloud Referral TGT present in cache: 0 SPN oracle configured: 0 KDC proxy present in cache: 0 Public Key Credential Present: 1 Password-derived Keys Present: 0 Plaintext Password Present: 0 AS_REP Credential Type: 2 Cloud Primary (Hybrid logon) TGT available: 1
Logs of using Windows Hello for Business are located in Event Viewer
Applications and Services Logs - Microsoft - Windows - HelloForBusiness - Operational
We can display information about TPM
TpmTool GetDeviceInformation
First Login After Enabling Provisioning - Setting Up Windows Hello
The exact process of registering Windows Hello For Business depends on a number of circumstances. How the policy is set, what hardware is available on the computer, whether the user has an Azure AD account connected, etc. A simple wizard guides us through the entire process.
Note: I did not find descriptions of various special situations, such as when certain communication is not available, so I tried to test it. In practice, I also encountered that some Windows Hello registration page had broken formatting and missing images.
Upon first login, a page with information about configuring Windows Hello For Business will appear. If we have some HW for biometrics available, the first step is its configuration.
Note: Interestingly, this configuration is available even if we do not have any network connection at this moment. If we set up a fingerprint, the configuration will proceed. We will not get a dialog to set up a PIN (of course, nothing will be set in Azure AD). After logging into Windows, a status message will appear stating that Windows Hello is set up and we should set up a PIN.
Most commonly, we can set up a fingerprint (during configuration, we must repeatedly place or swipe our finger on the sensor).
If we have more options available, facial recognition or fingerprint, we choose the method we want to configure.
We start the setup by clicking the Set up button. We can skip it using Skip for now. This will take us to the second step, but the biometric methods configuration will not be automatically offered again (we can do it manually in Windows settings).
The second step appears if communication with Microsoft is available. The Use Windows Hello with your account page will appear, informing us that the organization requires us to set up our Azure AD account (Work or School Account) along with Windows Hello. We only have the option to click OK.
Note: This screen does not appear in all cases; sometimes it goes directly to setting up the PIN.
Next is the configuration of the Windows Hello PIN. First, it is necessary to sign in with the Azure AD account using MFA (valid for 10 minutes). Then the data is written to Azure AD.
Then we set up the PIN. If we want to use letters and symbols (not just numbers), we check Include letters and symbols.
Finally, we get a message that everything is set up - All set. We confirm with OK and are logged into Windows. For the first login (Hybrid Azure AD Joined device) using Windows Hello (biometrics or PIN), the domain controller must be available. In other cases, cached login can be used.
Setting Up (or Changing) Windows Hello (without provisioning)
Configuration and possible changes are made in Windows settings
- Settings - Accounts - Sign-in options
Here we can set up and add additional sign-in options, fingerprints, change PIN, etc. Windows informs us which methods are allowed and available. We must be logged in directly to the computer (not via RDP) and Windows Hello must be enabled.
If the policy that allows Windows Hello has been activated and there has not yet been a login, we can set up the methods manually. Or if we have disabled post-login registration in the policy (Do not start Windows Hello provisioning after sign-in), we can perform the registration manually at any time or using a third-party application.
If we have a fingerprint reader available, we can start with Windows Hello Fingerprint. A wizard will start where we set up the fingerprint (or several, during configuration we must repeatedly place or swipe our finger on the sensor). Or we use Windows Hello PIN (description continues in the next step).
If we have not previously set up a PIN, we must set it up subsequently.
It is necessary to sign in with the Azure AD account using MFA (multi-factor authentication, valid for 10 minutes).
We enter our PIN. If we want to use letters and symbols (not just numbers), we check Include letters and symbols.
Signing in with Windows Hello
When signing in, one verification method is set as default. We can use the fingerprint directly (we do not need to activate the screen). If we want to use another method, we click on Sign-in options and choose one of the available methods.
Note: For the first login using biometrics or PIN, the domain controller must be available. In other cases, cached login can be used.
Changing or Resetting the PIN
We can change our Windows Hello PIN. If we forget it, we can perform a reset, where we sign in and verify using MFA and set a new PIN.
From Windows Settings
We can initiate a change or reset of the PIN from Windows settings
- Settings - Accounts - Sign-in options
- click on Windows Hello PIN
- Change - change the PIN
- I forgot my PIN - reset the PIN
From the Sign-in Screen
Resetting the PIN also from the sign-in/lock screen
- if the PIN method is not selected, use Sign-in options and select the keyboard icon
- click on I forgot my PIN
- sign in using your password
- go through the PIN registration process
Remote Desktop - connecting to a remote desktop
Windows Hello for Business is used for interactive (local) sign-in to the computer. When signing in to the computer remotely (Remote Desktop), another authentication method (password) must be used.
If we are signed in to the computer using Windows Hello for Business, we can connect remotely to another computer using Remote Desktop Connection from this computer. The system tries to use the Windows Hello certificate, which does not work for remote sign-in. It is necessary to click on More choices and select sign-in with a username and password. We may have a special certificate for remote sign-in issued in the system, which is protected by Windows Hello for Business. It displays the information Security device credential.
ahoj, diky za tenhle clanek! Resil jsem ted hybrid a clanek mi pomohl.
parada u nas uz nasadene , skvely clanok