2. WHO AM I?
WHFB INTRO
DEMO
DEPLOYMENT MODELS
WHFB HYBRID
DEMO
TIPS & TRICKS
QUESTIONS
Copyright InSpark
3. PIM JACOBS
Senior Consultant at InSpark
--
30 years young
--
Live in Rijkevoort
--
Blogger
https://identity-man.eu
--
Dad to be in a few weeks
--
https://www.linkedin.com/in/pimjacobs89/
Copyright InSpark
4. MISCONCEPTIONS OF CUSTOMERS
ABOUT WINDOWS HELLO FOR
BUSINESS
“Why use a PIN, a password is more complex
and therefore better?”
“I don’t want Microsoft to have my
fingerprint or face stored in Azure AD”
“Windows Hello doesn’t work hybrid as I’m
getting credential prompts when accessing
on-premises resources”
Copyright InSpark
5. Copyright InSpark
279%
increase in security incidents at enterprises
from 2016 to 2017
81%
of hacking-related breaches leveraged
either stolen and/or weak passwords
20%
of support costs for enterprise IT
departments are about forgotten
passwords
Data obtained from:
OTA Cyber incidents Report 2018
Verizon Cybercrime Case Studies 2017
6. Windows Hello for Business Phone sign-in FIDO2 Security Keys
2016
Sep
2018
July
2019
7. • Password-less via Biometrics or a PIN;
• Provides strong two-factor authentication;
• Can be deployed in cloud, hybrid, or on-prem
environments ;
• Supports Multi-factor Unlock;
• Supports Dynamic Lock;
• Keys are generated in hardware (TPM);
• Hardware bound keys are attested (Trusted Computing
Group Protocols);
8. BT Phone&
Resultant Policy:
(PIN & BT Phone ) OR (FP & BT Phone) OR (Face & BT
Phone )
Example Configuration
PIN
Fingerprint
Face
• Adds an additional layer of security on top of WHFB
by requiring multiple signals or gestures for device
unlock.
• Supported Gestures and Signals:
▪ PIN
▪ Fingerprint
▪ Face
▪ Paired Phone
▪ Network
• Unlock rule is admin configurable via GP and MDM
10. • Locks user’s PC if user walks away;
• Goal is to reduce idle time where device is
left unattended and unlocked;
• Uses signal strength from a paired phone to
determine user presence;
• Built on the same framework as multi-factor
unlock;
11. Requirements for a cloud only deployment:
• Windows 10 1703 or higher;
• Devices with a TPM (highly preferred);
• Enrollment of MFA;
• AD Premium P1 Licenses*;
*For advanced configuration with multi-factor unlock and
dynamic lock MEM (Intune) licenses could be required.
13. Azure AD Join
• Key Trust
• Certificate trust
(Hybrid Azure) AD Join
• Key Trust
• Certificate trust
14.
15.
16. • Certificate trust relies heavily on
on-premises infrastructure;
• AD FS Federation hard
requirement;
• Password less phone sign-in
breaks when using AD FS;
• Always use the modern version
provided from Azure AD (future
resilient).
17. The following requirements are determined for WHFB
Hybrid:
• Certificate Authority based on Server 2012 or higher;
• Certificate Revocation List internally accessible via HTTP;
• New KDC certificate deployed to Domain Controllers;
• Root & Intermediate certificates deployed to clients*;
• Windows Server 2008 R2 domain and forest functional
level;
• Windows Server 2016 domain controller, at least one on
each site;
• Primary Domain Controller role hosted on a Server 2016
Domain Controller;
• Synchronized Identities via Azure AD Connect;
• Windows 10 Physical or Virtual Machine with TPM;
• AD Premium P1 Licenses;
*If you want to use MEM (Intune) for this you do need license to use the product.
19. Greenfield is easy! Existing production environments can bring some challenges:
• Verify if ‘old’ domain controller certificates are removed from the domain
controllers;
• Verify Samaccountname value in Azure AD;
• Verify DNS Names on Domain Controller certificates;
• Verify if the CRL isn’t expired or unreachable;
• Verify if your subnet belongs to a site within AD Sites and Services where a Server
2016 Domain Controller is available;
• Verify if the correct root and intermediate certificates are available on the end user
machine;
• WHfB Dual Enrollment (combine non-privileged & privileged credentials).
20. Do not use Windows Hello for Business in the following scenario’s:
• Shared devices;
• Devices which don’t have a TPM (when you’ve chosen for Key-trust);
Alternatives:
• Use FIDO2 Security keys to replace Windows Hello capabilities;
RDP logon with WHfB Hybrid not supported (yet) with key-based scenario;