SlideShare a Scribd company logo

DI Amsterdam meetup windows hello core slides 20200319

Martin Sandren
Martin Sandren

Core presentation from the Digital Identity Amsterdam Windows Hello Meetup in March 2020.

Technology
1 of 22
Download to read offline
WINDOWS HELLO FOR BUSINESS March 19, 2020 IDMEETUP NIXU
WHO AM I? WHFB INTRO DEMO DEPLOYMENT MODELS WHFB HYBRID DEMO TIPS & TRICKS QUESTIONS Copyright InSpark
PIM JACOBS Senior Consultant at InSpark -- 30 years young -- Live in Rijkevoort -- Blogger https://identity-man.eu -- Dad to be in a few weeks -- https://www.linkedin.com/in/pimjacobs89/ Copyright InSpark
MISCONCEPTIONS OF CUSTOMERS ABOUT WINDOWS HELLO FOR BUSINESS “Why use a PIN, a password is more complex and therefore better?” “I don’t want Microsoft to have my fingerprint or face stored in Azure AD” “Windows Hello doesn’t work hybrid as I’m getting credential prompts when accessing on-premises resources” Copyright InSpark
Copyright InSpark 279% increase in security incidents at enterprises from 2016 to 2017 81% of hacking-related breaches leveraged either stolen and/or weak passwords 20% of support costs for enterprise IT departments are about forgotten passwords Data obtained from: OTA Cyber incidents Report 2018 Verizon Cybercrime Case Studies 2017
Windows Hello for Business Phone sign-in FIDO2 Security Keys 2016 Sep 2018 July 2019
• Password-less via Biometrics or a PIN; • Provides strong two-factor authentication; • Can be deployed in cloud, hybrid, or on-prem environments ; • Supports Multi-factor Unlock; • Supports Dynamic Lock; • Keys are generated in hardware (TPM); • Hardware bound keys are attested (Trusted Computing Group Protocols);
BT Phone& Resultant Policy: (PIN & BT Phone ) OR (FP & BT Phone) OR (Face & BT Phone ) Example Configuration PIN Fingerprint Face • Adds an additional layer of security on top of WHFB by requiring multiple signals or gestures for device unlock. • Supported Gestures and Signals: ▪ PIN ▪ Fingerprint ▪ Face ▪ Paired Phone ▪ Network • Unlock rule is admin configurable via GP and MDM
First Unlock Factors: • Pin • Fingerprint • Facial Recognition Second Unlock Factors: • Trusted Signals • PIN Fallback: • Password
• Locks user’s PC if user walks away; • Goal is to reduce idle time where device is left unattended and unlocked; • Uses signal strength from a paired phone to determine user presence; • Built on the same framework as multi-factor unlock;
Requirements for a cloud only deployment: • Windows 10 1703 or higher; • Devices with a TPM (highly preferred); • Enrollment of MFA; • AD Premium P1 Licenses*; *For advanced configuration with multi-factor unlock and dynamic lock MEM (Intune) licenses could be required.
DEMO HOW TO CONFIGURE AND ENROLL
Azure AD Join • Key Trust • Certificate trust (Hybrid Azure) AD Join • Key Trust • Certificate trust
• Certificate trust relies heavily on on-premises infrastructure; • AD FS Federation hard requirement; • Password less phone sign-in breaks when using AD FS; • Always use the modern version provided from Azure AD (future resilient).
The following requirements are determined for WHFB Hybrid: • Certificate Authority based on Server 2012 or higher; • Certificate Revocation List internally accessible via HTTP; • New KDC certificate deployed to Domain Controllers; • Root & Intermediate certificates deployed to clients*; • Windows Server 2008 R2 domain and forest functional level; • Windows Server 2016 domain controller, at least one on each site; • Primary Domain Controller role hosted on a Server 2016 Domain Controller; • Synchronized Identities via Azure AD Connect; • Windows 10 Physical or Virtual Machine with TPM; • AD Premium P1 Licenses; *If you want to use MEM (Intune) for this you do need license to use the product.
DEMO HOW TO GO HYBRID?
Greenfield is easy! Existing production environments can bring some challenges: • Verify if ‘old’ domain controller certificates are removed from the domain controllers; • Verify Samaccountname value in Azure AD; • Verify DNS Names on Domain Controller certificates; • Verify if the CRL isn’t expired or unreachable; • Verify if your subnet belongs to a site within AD Sites and Services where a Server 2016 Domain Controller is available; • Verify if the correct root and intermediate certificates are available on the end user machine; • WHfB Dual Enrollment (combine non-privileged & privileged credentials).
Do not use Windows Hello for Business in the following scenario’s: • Shared devices; • Devices which don’t have a TPM (when you’ve chosen for Key-trust); Alternatives: • Use FIDO2 Security keys to replace Windows Hello capabilities; RDP logon with WHfB Hybrid not supported (yet) with key-based scenario;
Blogs: • https://identity-man.eu/2020/01/03/password-less-2-of-5-going-password-less- with-windows-hello-for-business/ • https://identity-man.eu/2020/02/13/password-less-3-of-5-going-password-less- with-windows-hello-for-business-hybrid/ And remember, “Keep it stupid simple (KISS)”.
https://identity-man.eu QUESTIONS?

Recommended

Microsoft Windows 10 for the Enterprise
Microsoft Windows 10 for the EnterpriseMicrosoft Windows 10 for the Enterprise
Microsoft Windows 10 for the EnterpriseDavid J Rosenthal
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint ManagerGeorge Grammatikos
 
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan David J Rosenthal
 
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...FIDO Alliance
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneLai Yoong Seng
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional accessTad Yoke
 
Taking conditional access to the next level
Taking conditional access to the next levelTaking conditional access to the next level
Taking conditional access to the next levelRonny de Jong
 
5 modern desktop - windows autopilot
5 modern desktop - windows autopilot5 modern desktop - windows autopilot
5 modern desktop - windows autopilotAndrew Bettany
 

Recommended

Microsoft Windows 10 for the Enterprise
Microsoft Windows 10 for the EnterpriseMicrosoft Windows 10 for the Enterprise
Microsoft Windows 10 for the EnterpriseDavid J Rosenthal
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint ManagerGeorge Grammatikos
 
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan David J Rosenthal
 
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...FIDO Alliance
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneLai Yoong Seng
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional accessTad Yoke
 
Taking conditional access to the next level
Taking conditional access to the next levelTaking conditional access to the next level
Taking conditional access to the next levelRonny de Jong
 
5 modern desktop - windows autopilot
5 modern desktop - windows autopilot5 modern desktop - windows autopilot
5 modern desktop - windows autopilotAndrew Bettany
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for BusinessRobert Crane
 
SCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsSCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsAnoop Nair
 
Modern Devices Management
Modern Devices ManagementModern Devices Management
Modern Devices ManagementAtanas Gergiminov
 
Managing iOS with Microsoft Intune
Managing iOS with Microsoft IntuneManaging iOS with Microsoft Intune
Managing iOS with Microsoft IntuneSimon May
 
Preparing your enteprise for Hybrid AD Join and Conditional Access
Preparing your enteprise for Hybrid AD Join and Conditional AccessPreparing your enteprise for Hybrid AD Join and Conditional Access
Preparing your enteprise for Hybrid AD Join and Conditional AccessJason Condo
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Marius Zaharia
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsVignesh Ganesan I Microsoft MVP
 
EPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365David J Rosenthal
 
End to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneEnd to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneAnoop Nair
 
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Marius Zaharia
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
Modern deployment with Autopilot and Azure AD
Modern deployment with Autopilot and Azure ADModern deployment with Autopilot and Azure AD
Modern deployment with Autopilot and Azure ADFabian Niesen
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentationData Unit
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD ConnectSasha Rosenbaum
 
Microsoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewMicrosoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewDavid J Rosenthal
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with MicrosoftFIDO Alliance
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletIdentity Days
 

More Related Content

What's hot

Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for BusinessRobert Crane
 
SCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsSCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsAnoop Nair
 
Managing iOS with Microsoft Intune
Managing iOS with Microsoft IntuneManaging iOS with Microsoft Intune
Managing iOS with Microsoft IntuneSimon May
 
Preparing your enteprise for Hybrid AD Join and Conditional Access
Preparing your enteprise for Hybrid AD Join and Conditional AccessPreparing your enteprise for Hybrid AD Join and Conditional Access
Preparing your enteprise for Hybrid AD Join and Conditional AccessJason Condo
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Marius Zaharia
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsVignesh Ganesan I Microsoft MVP
 
EPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365David J Rosenthal
 
End to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneEnd to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneAnoop Nair
 
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Marius Zaharia
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
Modern deployment with Autopilot and Azure AD
Modern deployment with Autopilot and Azure ADModern deployment with Autopilot and Azure AD
Modern deployment with Autopilot and Azure ADFabian Niesen
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentationData Unit
 
Microsoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewMicrosoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewDavid J Rosenthal
 

What's hot (20)

Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for Business
 
SCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsSCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture Decisions
 
Modern Devices Management
Modern Devices ManagementModern Devices Management
Modern Devices Management
 
Managing iOS with Microsoft Intune
Managing iOS with Microsoft IntuneManaging iOS with Microsoft Intune
Managing iOS with Microsoft Intune
 
Preparing your enteprise for Hybrid AD Join and Conditional Access
Preparing your enteprise for Hybrid AD Join and Conditional AccessPreparing your enteprise for Hybrid AD Join and Conditional Access
Preparing your enteprise for Hybrid AD Join and Conditional Access
 
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
Multi-Tenant Identity and Azure Resource Governance - ReBUILD 2019
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASB
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
 
EPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities Overview
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
 
A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365A Secure Journey to Cloud with Microsoft 365
A Secure Journey to Cloud with Microsoft 365
 
End to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneEnd to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via Intune
 
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
Modern deployment with Autopilot and Azure AD
Modern deployment with Autopilot and Azure ADModern deployment with Autopilot and Azure AD
Modern deployment with Autopilot and Azure AD
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD Connect
 
Microsoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewMicrosoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 Overview
 

Similar to DI Amsterdam meetup windows hello core slides 20200319

Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with MicrosoftFIDO Alliance
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletIdentity Days
 
SCUGBE_Lowlands_Unite_2017_Protecting cloud identities
SCUGBE_Lowlands_Unite_2017_Protecting cloud identitiesSCUGBE_Lowlands_Unite_2017_Protecting cloud identities
SCUGBE_Lowlands_Unite_2017_Protecting cloud identitiesKenny Buntinx
 
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander BerkouwerO365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander BerkouwerNCCOMMS
 
Slide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate AuthoritySlide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate Authoritywebhostingguy
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
Securely logging to Microsoft 365
Securely logging to Microsoft 365Securely logging to Microsoft 365
Securely logging to Microsoft 365Robert Crane
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Network Field Day 11 - Skyport Systems Presentation
Network Field Day 11 - Skyport Systems PresentationNetwork Field Day 11 - Skyport Systems Presentation
Network Field Day 11 - Skyport Systems PresentationDouglas Gourlay
 
The Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iThe Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iPrecisely
 
Ask the expert session on ibm traveler and new security changes
Ask the expert session on ibm traveler and new security changes Ask the expert session on ibm traveler and new security changes
Ask the expert session on ibm traveler and new security changes jayeshpar2006
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_securityJessica Hirst
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionOption3
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsForgeRock
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Nordic Infrastructure Conference
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 

Similar to DI Amsterdam meetup windows hello core slides 20200319 (20)

Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
SCUGBE_Lowlands_Unite_2017_Protecting cloud identities
SCUGBE_Lowlands_Unite_2017_Protecting cloud identitiesSCUGBE_Lowlands_Unite_2017_Protecting cloud identities
SCUGBE_Lowlands_Unite_2017_Protecting cloud identities
 
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander BerkouwerO365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
 
Slide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate AuthoritySlide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate Authority
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
 
Securely logging to Microsoft 365
Securely logging to Microsoft 365Securely logging to Microsoft 365
Securely logging to Microsoft 365
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Network Field Day 11 - Skyport Systems Presentation
Network Field Day 11 - Skyport Systems PresentationNetwork Field Day 11 - Skyport Systems Presentation
Network Field Day 11 - Skyport Systems Presentation
 
The Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iThe Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM i
 
Ask the expert session on ibm traveler and new security changes
Ask the expert session on ibm traveler and new security changes Ask the expert session on ibm traveler and new security changes
Ask the expert session on ibm traveler and new security changes
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_security
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of Things
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

DI Amsterdam meetup windows hello core slides 20200319

  • 1. WINDOWS HELLO FOR BUSINESS March 19, 2020 IDMEETUP NIXU
  • 2. WHO AM I? WHFB INTRO DEMO DEPLOYMENT MODELS WHFB HYBRID DEMO TIPS & TRICKS QUESTIONS Copyright InSpark
  • 3. PIM JACOBS Senior Consultant at InSpark -- 30 years young -- Live in Rijkevoort -- Blogger https://identity-man.eu -- Dad to be in a few weeks -- https://www.linkedin.com/in/pimjacobs89/ Copyright InSpark
  • 4. MISCONCEPTIONS OF CUSTOMERS ABOUT WINDOWS HELLO FOR BUSINESS “Why use a PIN, a password is more complex and therefore better?” “I don’t want Microsoft to have my fingerprint or face stored in Azure AD” “Windows Hello doesn’t work hybrid as I’m getting credential prompts when accessing on-premises resources” Copyright InSpark
  • 5. Copyright InSpark 279% increase in security incidents at enterprises from 2016 to 2017 81% of hacking-related breaches leveraged either stolen and/or weak passwords 20% of support costs for enterprise IT departments are about forgotten passwords Data obtained from: OTA Cyber incidents Report 2018 Verizon Cybercrime Case Studies 2017
  • 6. Windows Hello for Business Phone sign-in FIDO2 Security Keys 2016 Sep 2018 July 2019
  • 7. • Password-less via Biometrics or a PIN; • Provides strong two-factor authentication; • Can be deployed in cloud, hybrid, or on-prem environments ; • Supports Multi-factor Unlock; • Supports Dynamic Lock; • Keys are generated in hardware (TPM); • Hardware bound keys are attested (Trusted Computing Group Protocols);
  • 8. BT Phone& Resultant Policy: (PIN & BT Phone ) OR (FP & BT Phone) OR (Face & BT Phone ) Example Configuration PIN Fingerprint Face • Adds an additional layer of security on top of WHFB by requiring multiple signals or gestures for device unlock. • Supported Gestures and Signals: ▪ PIN ▪ Fingerprint ▪ Face ▪ Paired Phone ▪ Network • Unlock rule is admin configurable via GP and MDM
  • 9. First Unlock Factors: • Pin • Fingerprint • Facial Recognition Second Unlock Factors: • Trusted Signals • PIN Fallback: • Password
  • 10. • Locks user’s PC if user walks away; • Goal is to reduce idle time where device is left unattended and unlocked; • Uses signal strength from a paired phone to determine user presence; • Built on the same framework as multi-factor unlock;
  • 11. Requirements for a cloud only deployment: • Windows 10 1703 or higher; • Devices with a TPM (highly preferred); • Enrollment of MFA; • AD Premium P1 Licenses*; *For advanced configuration with multi-factor unlock and dynamic lock MEM (Intune) licenses could be required.
  • 12. DEMO HOW TO CONFIGURE AND ENROLL
  • 13. Azure AD Join • Key Trust • Certificate trust (Hybrid Azure) AD Join • Key Trust • Certificate trust
  • 14.
  • 15.
  • 16. • Certificate trust relies heavily on on-premises infrastructure; • AD FS Federation hard requirement; • Password less phone sign-in breaks when using AD FS; • Always use the modern version provided from Azure AD (future resilient).
  • 17. The following requirements are determined for WHFB Hybrid: • Certificate Authority based on Server 2012 or higher; • Certificate Revocation List internally accessible via HTTP; • New KDC certificate deployed to Domain Controllers; • Root & Intermediate certificates deployed to clients*; • Windows Server 2008 R2 domain and forest functional level; • Windows Server 2016 domain controller, at least one on each site; • Primary Domain Controller role hosted on a Server 2016 Domain Controller; • Synchronized Identities via Azure AD Connect; • Windows 10 Physical or Virtual Machine with TPM; • AD Premium P1 Licenses; *If you want to use MEM (Intune) for this you do need license to use the product.
  • 18. DEMO HOW TO GO HYBRID?
  • 19. Greenfield is easy! Existing production environments can bring some challenges: • Verify if ‘old’ domain controller certificates are removed from the domain controllers; • Verify Samaccountname value in Azure AD; • Verify DNS Names on Domain Controller certificates; • Verify if the CRL isn’t expired or unreachable; • Verify if your subnet belongs to a site within AD Sites and Services where a Server 2016 Domain Controller is available; • Verify if the correct root and intermediate certificates are available on the end user machine; • WHfB Dual Enrollment (combine non-privileged & privileged credentials).
  • 20. Do not use Windows Hello for Business in the following scenario’s: • Shared devices; • Devices which don’t have a TPM (when you’ve chosen for Key-trust); Alternatives: • Use FIDO2 Security keys to replace Windows Hello capabilities; RDP logon with WHfB Hybrid not supported (yet) with key-based scenario;