Windows Hello for Business – All about Microsoft Intune

Configuring Windows Hello for Business cloud Kerberos trust

November 13, 2023November 13, 2023 by Peter van der Woude

This week is all about Windows Hello for Business. More specifically, about Windows Hello for Business cloud Kerberos trust. Not something really new, but definitely something that should be part of the default toolset. Hopefully familiar nowadays, Windows Hello for Business can be used to replace password sign-in with strong authentication on Windows. On top of that, Windows Hello for Business cloud Kerberos trust brings a simplified deployment experience for hybrid authentication with Windows Hello for Business. To provide that functionality, it relies on Microsoft Entra Kerberos for requesting Kerberos ticket-granting-tickets (TGTs). And those TGTs can then be used for on-premises authentication. A bing difference with other deployment models is the simplicity. No dependency on a public key infrastructure (PKI) and no need to synchronize …

Easily hiding the ability to use passwords for signing into Windows

October 10, 2023October 9, 2023 by Peter van der Woude

This week is basically a follow-up on a few blog posts of about two years ago. Those posts where focused on requiring the use of Windows Hello for Business and on removing the ability to use a password for signing into Windows. Both acceptable starts in the passwordless journey and acceptable methods for requiring the strength of Windows Hello for Business as a sign-in method. Also, however, both methods are not that easy to configure and come with some side-effects. Most problematic side-effect being that it also impacts the sign-in capabilities to other apps and services that are relying on the same credential providers. To address that and to further simplify the passwordless journey on Windows devices, Microsoft introduced a new configuration option. That configuration …

Configuring the default credential provider

June 12, 2023 by Peter van der Woude

This week is a short post about configuring the default credential provider and this is basically a small addition to the blog posts of about two years ago around configuring credential providers. That time the focus was around actually making it impossible to use specific credential providers. This time the focus is around configuring the default credential provider. That can be a powerful combination, but that can also be a step in the direction of guiding users away from using username-password. So, guiding users instead of forcing users. From a technical perspective that could make it a bit easier, as it doesn’t involve removing functionalities. In this case, it simply provides the configured credential provider as the default credential provider. That default credential provider will …

Using authentication strengths in Conditional Access policies

May 30, 2023May 30, 2023 by Peter van der Woude

This week is all about a nice feature of Conditional Access. Not a particular new feature, but an important feature for a solid passwordless implementation. That feature is authentication strengths. Authentication strengths is a Conditional Access control that enables IT administrators to specify which combination of authentication methods should be used to access the assigned cloud apps. Before authentication strengths, it was not possible to differentiate between the different authentication methods that can be used as a second factor. Now with authentication strengths, it enables organizations to differentiate the available authentication methods between apps, or to simply prevent the usage of less secure MFA combinations (like password + SMS). With that, it opens a whole new world of potential scenarios that can be easily addressed. …

Configuring Windows Hello for Business dynamic lock

August 23, 2021 by Peter van der Woude

The last few weeks – before my vacation – were all around Windows Hello for Business. And especially around unlocking devices by using Windows Hello for Business functionalities. This week, however, is a little different. This week is around the automatic lock functionality of Windows Hello for Business. That functionality is Windows Hello for Business dynamic lock. Dynamic lock enables organizations to automatically lock devices when users step away from their device. That automatic lock can be achieved by using the bluetooth signal of a paired phone. The device will automatically lock when the signal of that paired phone falls below the configured minimum value. Of course, automatically locking the device doesn’t prevent users from forgetting to lock their device, but it does prevent the …

Enabling web sign-in to Windows for usage with Temporary Access Pass

August 2, 2021August 2, 2021 by Peter van der Woude

This week still continues the journey through Windows Hello for Business. The last few weeks were all about direct Windows Hello for Business functionalities, while this week is all about providing alternatives besides Windows Hello for Business. When looking at standard Windows functionality, those alternatives are FIDO2 security keys and the relatively new combination of the web sign-in credential provider with Temporary Access Pass (TAP). The web sign-in credential provider itself is nothing really new, but the ability to use it in combination with TAP is something relatively new. Simply because TAP is relatively new. TAP is a time-limited passcode that basically temporarily enables users to sign-in. That sign-in is focused on getting users up-and-running with passwordless authentication and on helping users recover access to …

Configuring Windows Hello for Business multi-factor unlock

July 26, 2021 by Peter van der Woude

This week continues the journey through Windows Hello for Business. The last weeks were all about requiring the use of Windows Hello for Business, while this week is all about requiring the use of something extra with Windows Hello for Business. That something extra is a second unlock factor. By default, Windows requires the use of a single authentication factor to verify the identity of a user and to unlock the device. And even though the construction of Windows Hello for Business can be considered multi-factor authentication, as it combines something that you have (e.g. a device with a hardware TPM) with something that you know (e.g. a PIN) or with something that you are (e.g. a fingerprint), the unlock factor of the device with …

Excluding the password credential provider

July 21, 2021July 19, 2021 by Peter van der Woude

This week is a follow up on the post of last week. In that post there was a reference to the option to completely exclude the password credential provider to force the user in to using Windows Hello for Business. This week is all about that option to exclude the password credential provider – and basically any other credential provider – from use during authentication. Credential providers are the primary mechanism for authenticating users in Windows and to verify their identity. Those credential providers are shown as different small tiles to the user as different options to authenticate in Windows. With Windows 10 and later, credential providers are also used for authenticating users in apps, websites, and more. By installation default, Windows already provides a …

Requiring the use of Windows Hello for Business for interactive logons

July 12, 2021 by Peter van der Woude

This week is all about Windows Hello for Business. Windows Hello for Business provides a really convenient and user-friendly method to authenticate in Windows, as it enables users to verify their identity by using a gesture (face, fingerprint or PIN). More importantly, however, Windows Hello for Business is also an important step in the transition to a passwordless environment, as it replaces the need for the traditional username-password authentication with a strong two-factor authentication on Windows devices. By default, Windows Hello for Business will be an additional method to get authenticated in Windows. When working towards a passwordless environment, it’s important to also take further actions for Windows devices, by preventing the use of the traditional username-password and by requiring the use of Windows Hello …

Enable PIN reset from the login screen

January 22, 2018 by Peter van der Woude

This week I’m going for an end-user experience focused blog post. This week is all about the PIN reset option on the login screen. In other words, the I forgot my PIN option. Starting with Windows 10, version 1709, it’s now possible to enable the I forgot my PIN option from the login screen. When using Windows Hello for Business, which can be configured during the Windows enrollment, by using Microsoft Intune, the PIN is the fallback mechanism when it’s not possible to authenticate with biometrics. In other words, the PIN is really important. In this post I’ll provide the required configuration to provide the user with the I forgot my PIN option from the login screen. I’ll do that by assuming that the user …

Configuring Windows Hello for Business cloud Kerberos trust

Like this:

Configuring the default credential provider

Like this:

Using authentication strengths in Conditional Access policies

Like this:

Configuring Windows Hello for Business dynamic lock

Like this:

Configuring Windows Hello for Business multi-factor unlock

Like this:

Excluding the password credential provider

Like this:

Requiring the use of Windows Hello for Business for interactive logons

Like this:

Enable PIN reset from the login screen

Like this: