Controlling Microsoft Passport for Work on Windows 10 via OMA-DM

This week another blog post about Windows 10 and OMA-DM. However, this time it might not be that obvious. In this post I’ll go through the configuration of enabling the provisioning of Microsoft Passport for Work on Windows 10 devices. Maybe even more important, I’ll go through the PassportForWork configuration service provider (CSP) that is used to provision that configuration.

During this blog post I’ll go through the PassportForWork CSP, the configuration steps in Microsoft Intune hybrid and standalone and the end-user experience.

PassportForWork CSP

Before starting with the configuration of enabling the provisioning of Microsoft Passport for Work on Windows 10 devices, it’s good to get a better understanding  of what is actually used to get the configuration in place. The configuration through Microsoft Intune hybrid and standalone uses the PassportForWork CSP. That CSP is used to provision Microsoft Passport for Work, which allows the end-user to login to Windows using the AD, or Azure AD, account and replace passwords, smartcards, and virtual smart cards for that specific device. Microsoft Passport for Work lets the end-user use a user gesture to login, instead of a password. A user gesture can be a simple PIN, biometric authentication, or an external device.

Below is an overview of the nodes of the PassportForWork CSP. I won’t go through the nodes in detail, as that information will come during the configuration, but make sure to switch back a couple of times to connect the configuration with the CSP.

User configuration Device configuration
UserConfigDiagram DeviceConfigDiagram

Configuration

Now it’s time to start with the configuration of enabling the provisioning of Microsoft Passport for Work on Windows 10 devices. I’ll walk through the configuration steps for Microsoft Intune hybrid and standalone and I’ll provide the configuration options. While going through the configuration options, please make sure to switch back to the PassportForWork CSP a few times and connect the configuration options with the CSP nodes.

Microsoft Intune hybrid

Let’s start with the configuration in Microsoft Intune hybrid. I’ll walk through the required steps to configure Microsoft Passport for Work for enrolled Windows 10 devices.

1 In the Configuration Manager administration console, navigate to Assets and Compliance > Overview > Cloud Services > Microsoft Intune Subscriptions;
2 Select Microsoft Intune Subscription and on the Home tab, click Configure Platforms > Windows to open the Microsoft Intune Subscription Properties;
3

On the Passport for Work tab, select Enable Passport for Work for enrolled devices, configure the following required settings and click OK;

  • MIHybrid_PropertiesUse a Trusted Platform Module (TPM): Select [Required] or [Preferred] to require or prefer the use of TPM. If TPM is preferred and not available, software encryption is used;
  • Require minimum PIN length: [Specify a minimum PIN length of at least 4 characters];
  • Require maximum PIN length: [Specify a maximum PIN length of up to 127 characters];
  • Require upper-case letters in PIN: Select [Not allowed] or [Required] to specify whether uppercase letters should be used or not;
  • Require lower-case letters in PIN: Select [Not allowed] or [Required] to specify whether lowercase letters should be used or not;
  • Require special characters: Select [Not allowed] or [Required] to specify whether special characters should be used or not;
  • Require PIN expiration: If enabled, [Specify a number of days before PIN must be changed];
  • Prevent reuse of previous PINs: If enabled, [Specify a number of previous PINs that are restricted from reuse];
  • Enable biometric gestures: Select [Yes] or [No] to enable biometric gestures for authentication. If enabled, end-users must still configure PIN in case biometric authentication fails;
  • Use enhanced anti-spoofing, when available: Select [Not configured], [Yes] or [No] to enable the support for anti-spoofing, when available;
  • Use Remote Passport: Select [Yes] or [No] to enable the support for remote passport for Azure AD joined devices or not.

Microsoft Intune standalone

Let’s continue with the same configuration within Microsoft Intune standalone. I’ll walk through the required steps to configure Microsoft Passport for Work for enrolled Windows 10 devices.

1 In the Microsoft Intune administration console, navigate to ADMIN > Mobile Device Management > Windows > Passport for Work;
2

On the Passport for Work page, select Enable Passport for Work on enrolled devices, configure the following required settings and click Save;

  • MIStandalone_PropertiesUse a Trusted Platform Module (TPM): Select [Required] or [Preferred] to require or prefer the use of TPM. If TPM is preferred and not available, software encryption is used;
  • Require minimum PIN length: [Specify a minimum PIN length of at least 4 characters];
  • Require maximum PIN length: [Specify a maximum PIN length of up to 127 characters];
  • Require lowercase letters in PIN: Select [Not allowed], [Allowed] or [Required] to specify whether lowercase letters should be used or not;
  • Require uppercase letters in PIN: Select [Not allowed], [Allowed] or [Required] to specify whether uppercase letters should be used or not;
  • Require special characters: Select [Not allowed], [Allowed] or [Required] to specify whether special characters should be used or not;
  • PIN expiration (days): If enabled, [Specify a number of days before PIN must be changed];
  • Remember PIN history: If enabled, [Specify a number of previous PINs that are restricted from reuse];
  • Enable biometric gestures: Select [Yes] or [No] to enable biometric gestures for authentication. If enabled, end-users must still configure PIN in case biometric authentication fails;
  • Use enhanced anti-spoofing, when available: Select [Not configured], [Yes] or [No] to enable the support for anti-spoofing, when available;
  • Use Remote Passport: Select [Yes] or [No] to enable the support for remote passport for Azure AD joined devices or not.

End-user experience

Let’s end this post with the most important thing, the end-user experience. After the device is registered in Azure AD and enrolled into Microsoft Intune hybrid, or standalone, Microsoft Passport for Work will be provisioned for the end-user. On a fresh device the end-user will be prompted to set up a PIN during the initial logon. A successful configuration will be logged in the User Device Registration node in the Event Viewer with Event ID 300.

End-user experience Event Viewer
PINConfig PINConfig_EV

More information

Fore more information about Microsoft Passport for Work on Windows 10 and the PassportForWork CSP, please refer to: