Sunday, 23 Jun 2024
Technology

Inside Track Blog

Deploying Windows Hello for Business internally at Microsoft has significantly increased our security when accessing corporate resources. This feature provides a streamlined sign-in experience by replacing passwords with strong two-factor authentication using an enrolled device and PIN or biometric user input. Implementing Windows Hello was seamless within our existing identity infrastructure and is compatible with our remote access solution.

Authentication Beyond Passwords

Windows Hello for Business offers a public key or certificate-based authentication approach that goes beyond passwords. It utilizes key pairs that can replace passwords and are resistant to breaches, theft, and phishing. This authentication method aligns with our Zero Trust security model, emphasizing identity-driven security solutions by securing user identity and eliminating passwords.

Key Benefits

  • Supports Zero Trust Security Model: Windows Hello for Business strengthens our security by focusing on identity-driven solutions that prioritize strong authentication and eliminate reliance on passwords.
  • Uses Existing Infrastructure: We have configured Windows Hello to support smart card-like scenarios using a certificate-based deployment. Our existing security policies already enforce secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication.
  • Uses a PIN: Windows Hello replaces passwords with a stronger authentication method. Users can sign in to their devices using a PIN backed by a trusted platform module (TPM) chip.
  • Easy Certificate Renewal: Certificate renewals occur automatically when users sign in with their PIN before reaching the lifetime threshold.
  • Enables Single Sign-On: Once users sign in with their PIN, they gain access to email, SharePoint sites (with the latest Office 365 versions), and business applications without needing to provide credentials again.
  • Compatible with Remote Access: With certificate-based PIN, users can securely connect remotely using the Microsoft Digital Employee Experience VPN without requiring multi-factor authentication with phone verification.
  • Supports Biometric Hardware: Compatible biometric hardware allows users to set up biometric sign-in options, such as fingerprint or facial recognition.

Deployment Environment

Our deployment environment for Windows Hello for Business includes:

  • Server: Microsoft Azure AD subscription, Microsoft Azure AD Connect to extend on-premises directory to Azure AD, Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), Network Device Enrollment Service (NDES), and Microsoft Intune.
  • Client: A device with an initialized and owned TPM.

Enrollment and Setup

The Windows Hello for Business user enrollment steps vary based on different scenarios. In all cases, users need to use their smart card or multi-factor authentication with a verification option (phone call or verification on a mobile app) alongside their username and password to complete enrollment.

The supported enrollment scenarios are:

  • On-premises Active Directory domain-joined devices: Users sign in with their domain account, the Group Policy is applied, the device registers with Microsoft Azure AD, and then the user creates a PIN.
  • Microsoft Azure AD-joined devices managed by Microsoft Intune: Users must enroll in device management (or add a work account) through Microsoft Intune. After enrolling and applying policies, the PIN credential provisioning process begins, and users receive a prompt to create their PIN.

Requirements

  • Two-factor authentication is necessary for PIN creation using an existing method (virtual smart card, physical smart card, or multi-factor authentication with phone verification).
  • The PIN must be at least six characters long.
  • An internet connection or access to the Microsoft corporate network is required.
Tham Khảo Thêm:  How to Start Your Own Roofing Business: An Effective Guide

Physical Architecture

Our Windows domain-joined devices were already synchronized with Microsoft Azure AD through Microsoft Azure AD Connect, and we had an existing public key infrastructure (PKI) in place. This pre-existing infrastructure reduced the amount of change required to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we utilized AD FS, AD CS, and Group Policy.

Server Roles and Services

In our implementation, the following servers and roles worked together to enable Windows Hello as a corporate credential:

  • Microsoft Azure AD subscription with Microsoft Azure Active Directory Device Registration Service for device registration.
  • Microsoft Intune for enrolling devices joined to Microsoft Azure AD.
  • AD FS for federated identities and Microsoft Azure AD Application Proxy for secure remote access to on-premises web applications.
  • AD FS Registration Authority for handling certificate issuances and renewals for domain-joined devices.
  • NDES servers and certificate authorities for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Domain-Joined Service Workflow

The following workflow applies to any Windows 10 computers joined to our AD DS domain:

  1. Domain-joined devices pull a Group Policy object that configures certificate enrollment, PIN-enablement, and notification tasks.
  2. After users sign out and sign in again, or if they select the pop-up notification, a PIN creation workflow runs, and they must configure their new PIN.
  3. During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. Users can also initiate the Windows Hello setup process from the Settings app at any time.

Microsoft Azure Active Directory-Joined Service Workflow

For Microsoft Intune-managed Microsoft Azure AD-joined devices, the workflow is as follows:

  1. Windows Intune pushes a device policy to Microsoft Azure AD devices containing the NDES server URL and the challenge generated by Intune.
  2. During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. Users can also initiate the Windows Hello setup process from the Settings app at any time.
  3. The device contacts the NDES server using the provided URL and the challenge response. The NDES server validates the challenge and receives a “true” or “false” to verify the challenge.
  4. If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to obtain a certificate for the device.
  5. The NDES server delivers the certificate to the computer.

Setting Policies

We used domain-based Group Policies to configure our Windows 10 domain-joined devices to provision Windows Hello user credentials during sign-in. Non-domain joined devices received their policies from Intune. These policies allow us to define the complexity and length of the PIN, as well as control whether Windows Hello is enabled.

Policies for Microsoft Active Directory Domain-Joined Clients

To trigger Windows Hello for Business provisioning and automatic renewal of authentication certificates, a Group Policy object needed to be created and deployed. The object contains the necessary settings found under “User Configuration” > “Administrative Templates” > “Windows Components Windows Hello for Business”. Both the “Enable Windows Hello for Business” and “Use certificate for on-premises authentication” settings must be enabled.

Tham Khảo Thêm:  Snapchat Lets Users Display Follower Counts

For PIN complexity settings control, policies can be found under “Computer Configuration” > “Administrative Templates System” > “PIN Complexity” starting from Windows 10 version 1703.

Policies for Microsoft Azure Active Directory-Joined Clients

To use Windows Hello/Windows Hello for Business certificate-based sign-in, the certificate profile should be configured in the “Assets & Compliance” > “Compliance Settings” > “Company Resource Access” > “Certificate Profiles” section. A template with smart card sign-in extended key usage (EKU) should be selected. Additionally, the minimum key size should be set to 2048.

To set up the desired policy, a Windows Hello for Business profile should be created in the “Assets & Compliance” > “Compliance Settings” > “Company Resource Access” > “Windows Hello for Business profiles” section. The required options to specify are:

  • Use Windows Hello for Business
  • Use a hardware security device
  • Use biometrics
  • PIN Complexity

User Enrollment Experience

When a domain-joined computer running Windows 10 Anniversary Update or later pulls Group Policy settings from a domain controller, the certificate enrollment and Windows Hello for Business policies are applied to the computer, if all the criteria for policy application are met.

Client Signs Out and Signs In (and Unlocks) the Device

The user unlocks their device, triggering the certificate enrollment process.

Certificate Enrollment Process

After successfully creating a PIN, a scheduled task is triggered (Event ID 300 – “Key registration was successful”). If the user does not have an existing certificate, the task requests a new challenge.

At this point, Windows 10 communicates with the specified certificate services server through AD FS to obtain a challenge with an expiration time. If the PIN is cached, the certificate enrollment is triggered.

Certificate Renewal Behavior

We configured PIN credential certificates to have a lifetime of 90 days from issuance, with renewals occurring approximately 30 days before expiration. When a user enters their Windows Hello for Business PIN within the 30-day period before expiration, a new certificate is automatically provisioned on their device.

Certificate renewal is governed by Group Policy settings for auto-enrollment. The system checks the certificate lifetime percentage against the renewal threshold, and if necessary, a certificate renewal is initiated.

Microsoft Intune Specifics

The Open Mobile Alliance Device Management client communicates with the Microsoft Intune mobile device management server using SyncML. Policies are routed, and users receive the Simple Certificate Enrollment Protocol (SCEP) profile configured in our hybrid environment through Microsoft Intune. Within 10 minutes, users should receive their certificate. Manual syncing is required if the process fails.

Service Management

We, the Microsoft Digital Employee Experience team, are responsible for managing identity as a service at Microsoft. This includes introducing new credentials and phasing out older ones. When considering the addition of the Windows Hello for Business feature, we needed to determine how to introduce and explain it to our users.

Measuring Service Health

We are currently in the process of developing end-to-end telemetry to measure the service health of Windows Hello for Business. Currently, we monitor the performance and status of all our servers, as well as adoption and usage numbers to gauge the success of our service. We also track help desk issues to identify areas of improvement.

TPM Issues

Each OEM has specific BIOS initialization instructions and TPM lockout policies. We identified and documented potential issues for each hardware provider and communicated them to our users. It is important to note that clearing a TPM will render the private key unusable with Windows Hello for Business.

Tham Khảo Thêm:  How to Sign Out of Apple ID without a Password

Preventing PIN Enrollment Problems

Clear communication is vital in preventing common issues during PIN creation. Users need to understand the prerequisites and anticipated delays during onboarding scenarios. To mitigate this, we created a productivity guide to walk users through the enrollment process.

Monitoring End-to-End Service Health

Windows Hello for Business relies on several underlying services, including Microsoft Azure AD, AD FS, Microsoft Intune, NDES, and CA. Ensuring the health and availability of these services is essential. Monitoring the performance and status of these supporting services can help troubleshoot any delays in certificate issuance.

Conclusion

Windows Hello for Business is a powerful feature that enhances security and user experience by replacing passwords with strong two-factor authentication. By leveraging existing infrastructure and supporting remote access, it provides a streamlined sign-in process and better protects corporate resources. With Windows Hello for Business, Microsoft continues to prioritize identity-driven security solutions that align with the Zero Trust model.


Frequently Asked Questions

Q: What is Windows Hello for Business?
A: Windows Hello for Business is a feature that replaces passwords with strong two-factor authentication using an enrolled device and PIN or biometric input.

Q: What are the benefits of Windows Hello for Business?
A: Windows Hello for Business offers multiple benefits, including support for the Zero Trust security model, compatibility with existing infrastructure, easy certificate renewal, single sign-on capability, compatibility with remote access, and support for Windows Hello biometric hardware.

Q: How does the enrollment process work?
A: The enrollment process varies based on the scenario. For on-premises Active Directory domain-joined devices, users sign in with their domain account, and the device is registered with Microsoft Azure AD. For Microsoft Azure AD-joined devices managed by Microsoft Intune, users enroll in device management through Intune.

Q: What are the requirements for PIN creation?
A: Two-factor authentication is required for PIN creation, and the PIN must be at least six characters long. An internet connection or access to the Microsoft corporate network is also necessary.

Q: How does Windows Hello for Business manage certificate renewals?
A: Windows Hello for Business automatically renews certificates approximately 30 days before they expire. When users sign in with their PIN within the renewal period, a new certificate is provisioned on their device.

Q: What is the role of TPM in Windows Hello for Business?
A: TPM (Trusted Platform Module) is used to securely store private keys and enhance the security of Windows Hello for Business. It enables the use of hardware-backed credentials.

Q: How can potential issues with TPM be addressed?
A: Each OEM has specific TPM initialization instructions and lockout policies. Users should be aware that clearing a TPM will render the private key unusable with Windows Hello for Business.

Conclusion

Windows Hello for Business is a game-changer in the field of authentication. By replacing passwords with strong two-factor authentication using an enrolled device and PIN or biometric input, it enhances security and simplifies the sign-in process. With its compatibility with existing infrastructure and support for remote access, Windows Hello for Business is becoming the go-to solution for organizations looking to improve their security posture. Experience the benefits of Windows Hello for Business and join the future of authentication.

For more information about Windows Hello for Business, visit the official Eireview website.