Windows 10: Windows hello for business implementation

Hello looking for idea here for whfb.Have a hybrid join environment. Looking to move to passwordless authentication and need to prevent users from being able to login using password. Need to keep availabilty for admin account login and also not break apps that still use password to authenticate like company portal. Thanks for any help

:)

 

Windows 10 Hello for Business with Physical Smartcard and roaming uses across shared PC's

Hi Rosenbrier,



Thank you for writing to Microsoft Community Forums.



With the recent ratification of security keys by FIDO, Windows Hello allows security authentication for shared devices that allows full roaming experience. For more information, I would suggest you to refer to the article
Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared
devices and see if it helps.



If you have any further query regarding the same, I would suggest you to post your query in the
IT Pro TechNet Forums, where we have support professionals well equipped with the
knowledge on Windows Hello for Business.



Additional Info:

• Implementing strong user authentication with Windows Hello for Business
  
• Windows Hello for Business Frequently Asked Questions
  
  

Regards,

 

Determine why Windows Hello is unavailable on a Surface Book

Microsoft changed how Windows Hello worked on Domain-joined computers with build 1607, the "Anniversary Update".

Previously, Windows Hello on a business computer worked pretty much the same as it did on a home computer. It was more or less a stored password that was "triggered" by the chosen acceptable authentication methods.

Now it is based on certificates and other things that are generally much more secure.

If no changes are made in Group Policy on the Domain, a computer had an earlier build (such as 1511) of Windows 10 and a user had configured Windows Hello, and then the computer was updated to build 1607, that same user would still be able to use the same Windows Hello authentication methods. Any users trying to set up Windows Hello for the first time post-upgrade or just on build 1607 would not be able to.

The domain administrators must configure the new Group Policies controlling Windows Hello for Business before any of the authentication methods will work on computers running Windows 10 build 1607.

For more information and for the specific settings that must be set, please read the following official documents from Microsoft:

• Implement Windows Hello for Business in your organization - This is the functional document with a list of the new policies and what their settings mean.
  
• Manage identity verification using Windows Hello for Business - This is more of an overview and includes information about the differences between the home and enterprise versions of Windows Hello.
  
• Changes to Convenience PIN / Windows Hello Behavior in Windows 10 Version 1607 - This is a blog article about the major differences and may be helpful for users trying to understand what has happened and why.
  

 

Can't enable Windows Hello - Some settings are managed by your organization

I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:

1) Setup a Group Policy Central Store (you should already have that)

2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.

3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:

• Computer Configuration/Policies/Administrative Templates
  

.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled

.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM

.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)

.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)

You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.

You will find more background here:
Changes to Convenience PIN / Windows Hello Behavior in Windows 10 Version 1607

and here

https://technet.microsoft.com/en-us...ement-microsoft-passport-in-your-organization

Most important excerpt:

If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.