Passwords are messy! They are hard to remember, easy to hack and not secured. Microsoft sees over 10 million username/password pair attacks every day. And many IT help desks in the organizations spend their significant time responding to password reset requests from employees
Moving passwordless using Windows Hello for Business is the most secured way forward and end this drama. Password-less authentications is convenient for users as well as secured.
However, there are some considerations before password-less authentication is deployed into the organizations where the devices are joined to on-premise Active directory. Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust. Below are the ways WHFB password-less can be deployed
- Hybrid Azure AD Joined Key Trust Deployment (Devices which are joined to on-premise AD as well as Azure AD)
- Hybrid Azure AD Joined Certificate Trust Deployment (Devices which are joined to on-premise AD as well as Azure AD)
- Azure AD Join Single Sign-on Deployment Guides (Devices which are only joined to Azure AD)
- On Premises Key Trust Deployment (Devices which are only joined to on-premise AD)
- On Premises Certificate Trust Deployment (Devices which are only joined to on-premise AD)
Hybrid Azure AD joined Key Trust Deployment is the most common trust model deployed which we will be discussing further in this article. If you want to know more about all the deployment methods and trust model, please go through the document here
However, there are some critical pre-requisites and considerations before you deploy Windows Hello for Business using Hybrid Azure AD joined Key Trust
- Hybrid Windows Hello for business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.
- The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2
- A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
- Key trust deployment needs adequate number of Windows Server 2016 domain controllers in each site where users authenticate using Windows Hello for business.
NOTE: Windows Hello for Business Key Trust based password-less will work even if you have a single Windows Server 2016 Domain Controller deployed in the entire domain. However, that would not be enough to take the authentication traffic if the numbers of users are high and a thorough sizing exercise is required.
NOTE: If you have limitations to have any Windows Server 2016 domain controllers, you can fall back to using Windows Hello for Business Certificate Trust based deployment
- The devices that will be enabled for password-less should be hybrid domain joined. For that to happen the devices should be synced to Azure AD via AD Connect
NOTE: To configure Azure AD connect for Hybrid AD join you can refer to the article here
- The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. To know more details on the certificate requirements refer to the article here
- Your Windows 10 devices should be enrolled to Intune. If the windows 10 devices are already managed by SCCM you will have to setup co-management. Co-management requires Configuration Manager version 1710 or later.
NOTE: You can still move to Intune standalone if you are not in a position to upgrade your SCCM to 1710 or later. The pros and cons of moving your devices to Intune standalone calls for a separate blog on its own.
Users will still need to fall back to passwords in a few scenarios. Like in cases the users forget their Windows Hello PIN and want to reset or they want to access other AD integrated applications in the environment. To eliminate the usage of passwords below are some of the steps to be taken:
o Set all the users to password never expires. Password changes do more harm than good anyways. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers.
Microsoft recommends to set all users to Password never expires and use conditional access instead!
o User should use Self Service Password Resets in case they want to fall back to passwords. In this way the users can still reset their passwords in case they forget them without calling the IT or help desk. Ensure you have password write back enabled in the environment.
o All the applications should move to SSO so there is less or no usage of passwords. They may still need to use passwords for applications accessed from a non-corporate device.
o Put strong conditional access policies and MFA for accessing corporate applications.
Hope this helps summarize deploying Windows Hello for Business password-less authentication using Key Trust model.
If you still have questions on Windows Hello for Business, you can refer to the FAQ or reach out to me.
Fahad, Founder and CEO, kloudynet