💻

Windows Hello for Business Tutorial

Jul 16, 2024

Windows Hello for Business Tutorial

Presenter: Sarwansh

Introduction

  • Focus on Windows Hello for Business.
  • Topics covered: Configuration and testing in a lab environment.

What is Windows Hello for Business?

  • Windows 10 biometric authentication system.
  • Methods: Facial recognition, fingerprint, and PIN.
  • Acts as a secondary level of authentication.
  • Data stored locally on the device, not transmitted to authentication providers like Azure AD.
  • More secure than traditional username and password since attackers need physical access to the device.

Differences Between Windows Hello and Windows Hello for Business

  • Windows Hello:

    • Unique to the device on which it is set up.
    • Simple password-based authentication.
    • Individual can create a PIN or biometric gesture for personal convenience.

  • Windows Hello for Business:

    • Configured by Group Policy or MDM (e.g., Intune).
    • Uses key-based or certificate-based authentication.
    • More secure than Windows Hello convenience PIN.
    • Can be used in office or domain-based environments.

Workflow for Windows Hello for Business

  • Requirements:

    • Windows 10 (minimum version 1607) or Windows 11.
    • Machine should be joined to Azure AD (cloud or hybrid) or on-premises AD.
    • Device registration in Intune is mandatory.

  • Provisioning:

    • User authenticates with username and password.
    • Requires second-factor authentication.
    • Biometric or PIN setup.
    • Biometric data stored locally.

  • Authentication Flow:

    • User signs in using biometric or PIN.
    • Creates trust and validates against Azure AD.
    • Azure AD provides authentication token.
    • User logs into the device.

Biometric Sign-in Types

  • Facial Recognition:

    • Uses IR lights to detect live person vs. a picture.
    • Recognizes face for authentication.

  • Fingerprint Recognition:

    • Reads fingerprint to allow sign-in.

Policy Creation and Configuration

  • Creating Identity Policy in Intune:

    • Go to Devices > Configuration Profile > Create Profile.
    • Select Windows platform and Identity Protection Manager template.
    • Set policy parameters (e.g., PIN length, biometric authentication).

  • Deploying Policy:

    • Assign to a specific group.
    • Policy sync will enable Windows Hello for Business on target devices.

Testing

  • Setup:

    • Ensure device is part of Azure AD and Intune.
    • Sync policies to the device.

  • Example:

    • Test1: Log in with a local admin account (expected failure).
    • Test2: Log in with a cloud account (expected success).

  • Results:

    • Local account did not activate Windows Hello for Business.
    • Cloud account successfully set up Windows Hello for Business.
    • Users can use PIN or biometric data to log in.

Practical Session

  • Walkthrough of policy creation and deployment in Intune.
  • Detailed step-by-step configuration of Windows Hello for Business on test devices.
  • Emphasis on real-world application in production vs. lab environments.

Conclusion

  • Successfully demonstrated the configuration and testing of Windows Hello for Business.
  • Importance of device registration and policy sync.
  • Encourages viewers to subscribe and like the video.

Additional Notes

  • Biometric and PIN data is not stored on Azure AD; local storage makes it more secure.
  • Regular updates and policy compliance are crucial for maintaining security.

Full transcript