Windows Hello for Business– Planning and Implementing Authentication

30/06/202330/06/2023| Christine AlbertWindows Hello for Business– Planning and Implementing Authentication| 0 Comment| 3:53 am
Categories :

Microsoft’s recommended solution for password-less authentication is Windows Hello for Business. It’s designed for users that have their own dedicated PC. When logging in, the user presents a biometric or PIN code to unlock the device.

Windows Hello for Business supports a variety of biometric logins, including facial recognition and fingerprint scanner. Devices configured to use Windows Hello can be recognized because they have the Windows Hello smiley face greeting at the top:

Figure 7.1 – Windows Hello for Business sign-on screen

After configuring Windows Hello, the sign-in flow follows this sequence, as depicted in Figure 7.2:

Figure 7.2 – Windows Hello authentication sequence

The steps are as follows:

  1. User signs in with either biometrics or PIN (if the configured biometric input can’t be accessed), which unlocks the WHFB private key. The key is then passed to the Cloud authentication security support provider, also known as the Cloud AP, part of the on-device security package.
  2. The Cloud AP requests a nonce (single-use random number) from Azure AD.
  3. Azure AD sends the nonce to the Cloud AP on the endpoint.
  4. The Cloud AP signs the nonce with the user’s private key and returns the signed nonce to Azure AD.
  5. Azure AD decrypts and validates the signed nonce with the user’s public key. After it’s validated, Azure ID issues a primary refresh token (PRT) with the session key, encrypts it using the device’s public transport key, and sends that to the Cloud AP.
  6. The Cloud AP decrypts the PRT/session key using the device’s transport private key and then uses the Trusted Platform Module (TPM) to store the session key.

The Cloud AP returns a successful response to Windows, allowing the user to log in to complete.

Windows Hello for Business is available to be deployed as a cloud-only or hybrid identity solution and can be used for both Windows login as well as for logging in to Microsoft 365 services. Windows Hello-based authentication is tied to a unique device, meaning you have to set it up individually for each device that you will be using.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Creating a role assignment– Planning and Managing Roles in Microsoft 365

23/10/202223/10/2022 Christine AlbertCreating a role assignment– Planning and Managing Roles in Microsoft 365
You can configure PIM for a role by following this procedure: Figure 6.13 – Role [...]
Read MoreRead More

Viewing and updating administrative units– Planning and Managing Roles in Microsoft 365

14/09/202214/09/2022 Christine AlbertViewing and updating administrative units– Planning and Managing Roles in Microsoft 365
After creating administrative units, you can review them and modify their members and administrators from [...]
Read MoreRead More

Configuring Windows Hello– Planning and Implementing Authentication

05/07/202305/07/2023 Christine AlbertConfiguring Windows Hello– Planning and Implementing Authentication
WHFB supports cloud-only, hybrid Azure AD, and on-premises deployments. The easiest method to deploy Windows [...]
Read MoreRead More