Passwordless authentication using Windows Hello For Business (WHFB) with Microsoft product group

Подписаться 2,8 тыс.

Просмотров 10 тыс.

50% 1

Deep Dive livestream on going passwordless using Windows Hello For Business (WHFB) and learn about cloud Kerberos. As organizations move toward passwordless authentication for better security and user experience, learn more details from the questions and answere shared in this livestream with the Microsoft product groups.
00:00 Introduction
04:10 Background (AuthN methods, WHfB)
05:48 Where to start
06:52 WHfB trust types and deployment models
13:04 Cloud Trust deployment steps
21:48 How cloud Kerberos trust works
27:33 In depth Demo (All the magic behind)
52:48 Recap!

Наука

Опубликовано:

25 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 26

@KylePMoore 5 месяцев назад

This video just saved our implementation of WHfB. I was able to Wireshark the domain controller thanks to JJs walkthrough and found that Windows Hello was only trying certificate authentication, even through the relevant setting was 'not configured'! I forced it to Disabled and we're off to the races. Can't thank you enough!

@papajohnscookie 25 дней назад

Great demo thanks a lot

@yassinesouabni5192 2 месяца назад

Great presentation - all clear - thank you !

@vaibhavmane1655 10 месяцев назад

Awesome Demo @JJ and thanks for the Microsoft YT channel. Would like to see more CKT videos like this.😇

@jjstreicher-bremer309 9 месяцев назад

What aspects of CKT are you looking for? Always looking to help more folks get rid of passwords. :)

@user-yf9nu5xf4z 5 месяцев назад

Great video, would love to see a video on how toToubleshoot the PRT!

@infosec4cloud Год назад

Great video and presentation, it's really helpful. Is it possible to share the PPT? Thanks guys!

@425show Год назад

github.com/425show/level400

@c016smith52 10 месяцев назад

@ 15:18, you talk about TAP not working for enrollment while on hybrid-joined devices; is that shortcoming going to be addressed, or should we still be looking to migrate to just AADJ?

@Beni770 5 месяцев назад

Is Offline login possible too? I mean after the first login with LoS with DC, let's say I take my laptop somewhere i don't have internet connection, will I be able to login with PIN/Fingerprint...

@prathapkalluri6402 Год назад

Hello @JJ, I have configured the GPO for Hybrid deployment but it is taking the fingerprint and asking for the second factor authentication. Second Factor Auth is not working in my case giving the below error , can you please give some insights on this.

@425show Год назад

That sounds like you have an additional GPO configured to force second factor auth. RU-vid comments are not a great place to troubleshoot. Please open a support case or try posting the full issue techcommunity.microsoft.com/t5/security-compliance-and-identity/bd-p/SecurityandCompliance

@MrMarcLaflamme Год назад

Is there a way to enable WHfB but not force users to register (was looking for an option in Intune but I think it's only in a GPO - Do not start provisioning after sign-in?)? In the pilot I'm working on any user who is added to the config profile to enable WHfB is automatically prompted to setup Hello the next time they log in. We want to enable the feature but give users the choice in the beginning. Any new device they receive is AAD joined and automatically enabled but for the hybrid users we don't want that due to the DC LoS requirement.

@webcomment8895 Год назад

Why would LoS to a DC be an issue for a hybrid joined device? They need it to log in to a hybrid joined device even without Windows Hello. If you have users that you want to not use Windows Hello and you don’t have a security requirement to enforce this, then exempt their PC from the GPO that enables it. You can inform users that it’s coming many days prior to enabling it so that users with a use case that won’t work with Windows Hello can submit feedback giving their reason why they can’t use it and their device can be excluded from the scope of the GPO or Intune configuration profile.

@MrMarcLaflamme Год назад

@@webcomment8895 The first time WHfB is configured on a hybrid device it needs LoS to a DC when logging in. Using a password to log in does not need LoS to a DC as long as the user has connected before which in our case everyone has. We do not have always on vpn nor can our vpn currently connect before login. Turns out there is a way to accomplish what I need but it involves both using Intune and GPO (or regkey set via powershell) because the specific feature only exists in GPO form.

@jjstreicher-bremer309 Год назад

Yes, you have it right. GPO has the check box "Do not start Windows Hello provisioning after sign-in", unfortunately Intune does not. To be clear though, users can provision their credentials without line-of-sight to a DC, they just can't use them to sign-in the first time without LOS.

@MrMarcLaflamme Год назад

@@jjstreicher-bremer309 yes I understand that. The first time login will definitely cause issues (support calls) even with email notifications telling users what to expect.

@425show Год назад

Thanks JJ!

@tedzhang5663 Год назад

When running set-AzureADKerberosServe, I am getting error set-AzureADKerberosServer r : Failed to read secrets from the domain "my_domain". There is a computer object created on-prem but Clouddisplayname, clouddomaindnsname, etc are all empty when running get-AzureADKerberosServer. Any ideas?

@425show Год назад

I would double check you have the correct permissions for both AAD and AD. It sounds like you might not have it for AAD. RU-vid comments probably aren't the best spot for troubelshooting this. I would recommend you try posting that techcommunity.microsoft.com/t5/security-compliance-and-identity/ct-p/MicrosoftSecurityandCompliance and see if anyone else over there can help dig in a bit more or open a support case.

@tedzhang5663 Год назад

@@425show Thanks for the reply! I have opened a case with Microsoft and they are currently looking into this issue. Seems like the issue is on on-prem DC.

@425show Год назад

@@tedzhang5663 Post back what the solution ends up being!

@gabrielbigger4386 Год назад

How does RDP work with WHfB? is the only option certificate trust to go passwordless?

@425show Год назад

To do H4B today you have to use cert trust method. learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop. There are many options for passwordless though, www.microsoft.com/en-us/security/business/solutions/passwordless-authentication?rtc=1

@jjstreicher-bremer309 9 месяцев назад

The good news is that RDP now supports "EntraID RDP" authentication. learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc#connect-with-azure-ad-authentication which requires the session host to be connected to EntraID. There are some limitations based on version (server 2022 is required for server OS), but it works really well.