How To Setup Windows Hello For Business

Anyone who has purchased a Windows device from Microsoft or several other vendors in the last few years might have been presented with Windows Howdy. A biometrics-based technology (face up or fingerprint scans), it lets you lot securely and speedily sign in to your device. In this commodity, we'll look at a existent-world deployment of Windows Hello for Concern at a small independent school in Commonwealth of australia.

• Author
• Recent Posts

Paul Schnackenburg works office time every bit an IT teacher equally well equally running his own concern in Commonwealth of australia. He has MCSE, MCT, MCTS and MCITP certifications. Follow his blog TellITasITis.

This won't offering complete coverage of all Windows Hello for Business organisation options, equally there are quite a few paths y'all can take, depending on your starting environment. Instead, I'll share my learnings from this particular deployment.

A few words about the client—they're an independent school with approximately 90 students in grades 1–12 and about 20 staff. They employ Microsoft 365 A3 (equivalent to commercial E3), Microsoft Endpoint Manager, and Windows ten across all devices.

The device fleet comprises 13 Surface Book devices for teachers, 16 Surface Pros for senior students, and only over 50 Dell laptops (not Windows Hello for Business-capable) for the rest of the students, plus a smattering of Dell desktop PCs for admin staff. Server infrastructure is a R440 Dell Server, running Windows Server 2019 Hyper-V and seven VMs: two domain controllers, a file/print server, a LOB application, a WSUS server, Microsoft's Advanced Threat Analytics (ATA), and a Linux Syslog server.

There's too an older Dell server that's the Hyper-V replica target for all VMs, located in a different edifice on campus. Each of the half dozen buildings has a managed switch, which is continued with fiber optic cabling to the others. Each of these has a NetGear Wi-Fi access bespeak in an ensemble, providing roaming indoor network access. Active Directory synchs user and computer accounts to Azure AD using AAD Connect.

Windows Hi vs. Windows How-do-you-do for Business ^

I've used Windows Hello for Business on every device since my showtime Surface Book, and it's incredibly convenient. Most times I'm signed in earlier I've even sat downward in the chair to start working. Setup is besides quite quick: a few scans of your face (with and without spectacles) and y'all're proficient to go.

While Windows Hello for Business organisation uses the aforementioned underlying engineering, it's quite a different beast. When the school decided to purchase Surface Books and later Surface Pros, I mentioned how dandy I institute Windows Hi and said, "Yous can do this too." Information technology consultant error number one: don't promise until you've checked the prerequisites 😊.

Deployment prerequisites ^

Taking Windows Hello to Active Directory and using it on domain-joined PCs is a lot more complex than on consumer devices. When this start was discussed with the client, they were still running Windows Server 2008 R2 DCs, then that was the beginning hurdle—now their DCs are Windows Server 2019. Other requirements are Windows 10 1709 or afterwards, either AD and AAD joined (hybrid) or AAD joined, Windows Server 2016 or afterward DCs (you can utilise 2008 R2/2012 but only with document trust—come across below), with a Windows Server 2016 schema.

Windows Hello for Business organisation isn't just biometrics simply an umbrella term for various stronger hallmark methods, and you always have the option of falling back to a PIN that's unique to that device, unlike a username/password pair.

As mentioned, there are a few paths to take in the quest toward Windows Howdy for Business nirvana. Your beginning decision is between key-based and certificate-based authentication. The sometime is easier to deploy just doesn't back up Remote Desktop connections; the latter requires a public key infrastructure (PKI) for certificate deployment, which might fit correct in if your concern already has that deployed but raises the bar if you don't. Note that even if you opt for key-based, you'll nonetheless demand a minimal PKI/AD Certificate Services (Advertisement CS) service to deploy updated certificates to your DCs.

A 2nd decision is whether you're going to do a cloud-only deployment (Windows x, AAD, Azure Advert MFA just) or a hybrid deployment. For hybrid, you tin exercise certificate trust and mixed managed, key trust and modern managed, or certificate trust modern managed, where "modern" means MDM (Intune/Endpoint Manager) enrolled. In that location is too an on-premises-only deployment path.

Microsoft provides a map for your quest in the form of a planning worksheet. Go through each question regarding your current environment in conjunction with the planning guide to gain insight into which options you have for your Windows Hello for Business organization deployment.

Hither'south my resulting worksheet. Nosotros went with a hybrid deployment with key trust and Endpoint Manager. I automatically joined the client PCs to Azure Advert using a GPO.

Windows Hello for Business concern Planning Worksheet

Another wrinkle is whether you're still running AD Federation Services (AD FS; this client is not), which needs to be considered in your planning. As an aside, given that the SolarWinds attacks used AD FS, and Microsoft has been recommending migrating from Ad FS to AAD for your federation needs, get-go your migration journeying now if you have AD FS.

Once all devices were joined to AAD, I was ready to proceed. The documentation has clearly laid out steps, which in my case involved:

1. Checking prerequisites—AD, AAD directories, and PKI will need to be deployed for DC certificates (run into beneath)
2. Deploying Advertizing CS and configuring information technology
3. Configuring directory synchronization
4. Configuring Azure device registration
5. Configuring Windows Hello for Business settings
6. Signing in and provisioning

Certificate services ^

If you're deploying AD CS in a large business with strict security requirements, exist enlightened that there are many steps involved in planning such a deployment. One path is creating a root certificate server on a workgroup server (and so that it doesn't lose trust with the domain when it's offline for extended periods of fourth dimension), which deploys leaf certificate servers and is then close downwards and locked away in a vault. This is beyond what this client needs, and I but deployed CS on one of the DCs.

Setting up Ad CS

By default, the Advertizing CA publishes a Kerberos Authentication document template, but it uses older and less performant crypto APIs; hence, the documentation guided me through creating a new template with updated settings such every bit the RSA algorithm with 20148 minimum cardinal size. This template is then configured to supervene upon the older ones and published, while the older certificate templates are deleted.

Configuring the certificate template

AAD device registration ^

Since AAD Connect is already running at this client, information technology was just a affair of configuring it. There'south a Service Connection Point (SCP) required merely since we're running an upward-to-date version of AAD Connect, it was already in place.

I checked a random sample of devices in Devices for their join status in the AAD portal besides as on the devices themselves. You can utilize either dsregcmd /status in a command window or Go-MSolDevice in PowerShell.

Configuring Windows Howdy for Business organisation settings ^

After what felt like an eternity of planning, checking prerequisites, and configuring the infrastructure itself, I could now configure the single GPO setting "Enable Windows Hello for Business," along with a second GPO for the domain controllers to automatically enroll the certificate described in a higher place.

Group policy configuration

There are a few optional boosted settings in the GPO that yous can use, such every bit Utilize a hardware security device, which mandates storing credentials in a TPM chip. You tin optionally likewise crave only TPM ii.0 and not 1.2. You can as well use biometrics; maybe yous want to disable the use of biometrics until y'all're ready to switch it on, which will get out Pivot as the only selection. You tin require PIN Complexity (I went with a minimum of six digits) and created a Windows Hello for Business Users grouping to control who gets the option for Windows Hullo for Business in the staged rollout.

End user experience ^

I learned rather belatedly in the deployment that Windows Hello for Business requires Azure MFA (or the now-retired Azure MFA server on-premises), then apart from the steps to a higher place, users besides need to use the free Microsoft Authenticator app on their phones (or SMS text messages or telephone calls—I disabled those options as they're more insecure) and need to annals at aka.ms/mfasetup.

I initially deployed this to 6 teachers during an afternoon training session, and the experience was flawless: prepare MFA, sign off, sign back on, Windows Hello for Business asks the user to set up a Pin, scans their face, and so signs them in. 1 of the Surface Books had trouble with the biometrics and refused to do face registration, probably due to its age (troubleshooting to follow).

Lessons learned ^

This was a long procedure, spread out over years from the initial idea to last calendar week's training when teachers enrolled, with more students and teachers to follow. I really like the thought of an unphishable credential that also provides a convenient user feel. Given the hardware requirements for Windows eleven, I've advised the client that new device purchases toward the stop of this twelvemonth demand to come with TPM 2.0 chips and Windows Hello for Business-capable biometrics. We'll run across what toll premium that brings.

I'm likewise trialing a FIDO ii YubiKey with one student to assess whether having a carve up device (again unphishable) for authentication is preferable, rather than having information technology built into each PC.

Subscribe to 4sysops newsletter!

I hope this real-world deployment experience retelling was useful. Proficient luck in your journeying to being passwordless.

Source: https://4sysops.com/archives/deploying-windows-hello-for-business/

Posted by: collinshandentoich.blogspot.com

Share this post