Windows Hello for Business Tutorial

hello hi guys my name is sarwansh and thank you for watching my other entrant tutorial videos so today's video we are going to talk about the windows hello for business like uh what is windows hello for business how we can configure it and how we can test it in our lab environment so let me start this video okay so here is something i write about the windows hello so windows hello is windows 10 biometric authentication system which allows user to sign into their device using the facial recognition and the fingerprint that has and the pin so basically this is a secondary level authentication which is uh uh which will give you one more authentication level like when you log in on your windows so that is a username and password and this is the next level authentication where you require your fingerprint or the face recognition and the pin so the data for these is stored on the device so data will store for your fingerprints and your the face recognition so the data will store on the device itself rather than transmitting to the authentication provider like as you ready so this authentication date this authentication data will not be saved on your azure id it will be stored on your local device so add is as more secure than you are the password so if any attackers would need a device if any attackers want to attack on your machine uh then easily he cannot attack because it's needed device why because you're the face finger and has locally it has stored your data so now let's understand what is difference between the windows hello and hello for business so windows hello is a unique to the device on which is set up but uh but can be a simple password has depending on the individual account type and the windows hello will not be backed up for your the public or the private key or the certificate authentication and the individual can create a pin or the biometric gesture on your the personal device or for the convenient and sign in then the windows hello for business which is configured by the group policy or the mdm like the intune and always used the key based or certificate based authentication so this make it much more secure than your the windows hello convenience pin so let me give you a perfect example for this windows hello and hello for the business so when you are configuring the locally means you are not using the gpo or the mdm to activate your windows hello uh on on your machine then it will comes under the windows hello when you use the guru policy or the mdm then it comes under the business windows hello for business another example is like windows hello can activate on your the personal home device but your the windows hello can be configured on your the office or with your domain based so these are the two major difference now let's understand the workflow for the windows hello for business so it is required the windows 10 and 11 version below version it won't work but uh in the windows 10 also there is a minimum os required like 1608 i think 1607 so that is the minimum os requirement when you used the hello for business and guys it's a very simple to understand the os version so os version will support when your device is enrolled into 80 so if you have less if if you don't have the compatible version or the required version to enroll in the 80 so uh then your machine won't be enrolled and it won't show in the windows uh sorry it not sold in the in tune so it's very simple if your device is already enrolled into in tune then obviously it will work next thing is machine should join into azure active directory on premises or the cloud or cloud cloud in the sensor azure active directory so if you uh if you are using the cloud like azure ad then your machine should be part of azure already joined high or hybrid azure ready join or the register azure ad registered so when you join into or when you join a device into azure id you will be using one of the method out of these three now device registration so device registration is a fundamental prerequisite for the windows hello for business so you should have registered your um windows into in tune until you want to be activate your windows hello for business if it is not registered in azure ready or in tune so without registration windows hello for business provisioning cannot start a registration is where the device register and the identity with the identity provider okay so it's it's very plain and simple if your device has not registered in in tune you cannot uh activate your when uh windows hello for business now let's understand what is the provisioning so provisioning is the when user uh user uses the one of authentication of to the request to a new windows hello for the business credential or the typically the user sign into a windows user name and the password the provisioning flow required a second factor of the authentication because it will create a strong two-factor windows authentication so now let's move it to the authentication uh which the device register and the provision completed the user can sign into the windows uh using the biometric or a pin so pin is the most common gesture is available on all the computers unless the on the restricted by the required tpm so the pin will be available for all whether you uh use the biometric uh whichever biometric methods you use and the thing is pim is not stored on the local device but your the biometric like your face recognization or your the fingerprint that will store locally now create a uh a counter okay now this is the user here when he login into unlock the windows and uh it's identity the container pin or the bio uh then it will create a counter uh provis identity then it will go to the your azure id and the second thing create a trust so when you log into your device with your pin or the biometric then it will create a trust my the unique trust my unique or the authenticate by the validating this signed request then it will go to the azure id then azure ready will provide authentication token then your device will be getting login so that is the flow how the windows hello is going to work now let's understand the biometric sign in so we have two types of biometric sign in one is a face facial recognization so it's very simple like when it recognize your face and that camera is using the ir lights so ir light is something which is detecting uh the living person is a alive or or it's a picture so that ir technology included with the facial recognition and the fingerprint recognition also to your device is having a space to or for your the um the fingerprint reader and once you uh once you keep your finger on that fingerprint reader it will read your fingerprint center it will allow the sign in now this is like a policy where we are going to create a policy uh for your identity protection so identity pro and then we'll configure our the windows hello for business and this is something uh the output when the uh how the user looks like this uh that window uh activated with the hello for business so now let us move it to the practical session and uh we'll create a uh identity policy in our in tune then we'll deploy to the test machine and then we'll test it so let's move it so here uh we have two machines in our console so let's go to the devices and uh on the devices we have like uh configuration profile and uh under the configuration profile we can click is a create profile so once you click here we're going to use a template to create it so let's open it so now here let's select the windows platform windows 9 letter and here is template and under the template identity protection manager so let's select and create it okay so now let's provide the policy name it's a windows hello i can say for the testing now click on next now we have to enable this windows hello for business so here is a requirement like the minimum length if you move in the icon iconic button so it will give you the range like the minimum 4 and the maximum 127 digit you can provide so the password length can be four to um i can put four to uh 127 and the maximum length can be the uh it's like range minimum four to one uh 127 so let me put it like eight digit or i can put the 10 so maximum user can put the 10 digit and here is the lower case yes allowed upper case can allowed the special character can allowed the pim registration so pim registration like every two month user has to update his password or based on your the company policy you can set up this and now here is a remember the history remember history is used when you reset your password like what was the last password so you can keep uh same password and when the password is expired so last three i can give so i cannot use last three password um which already in used was used enable the recovery key yes enable use the tpm so tpm i don't have as i am in a lab environment uh that can be possible with the physically lab so let it be allow the biometric authentication yes i can do but uh we cannot test this as well the biometric because it's a vm then uh the anti-spoofing when it these are not at all required for me on the lab now let's create this and uh now assign the group where we want to deploy this policy and uh already i have created a group and i added our two test device in that particular corrupt so okay so here is i created a windows hello group that is for my the testing okay i'm sorry okay just select it and the policy will post on these collection device these collection machines now here the rule i don't want to assign any rule and now let's create it so now we are good with our policy and uh then we can now we can test it on the end user device uh when the policy is synced on the end user device then then we can do the testing so let's move it to the device so this is the my the first device why it is login with the admin it should not be the admin this device is having let me pull it little down and i have another device here let me keep it here okay so let me login with the first with my the local account and just to pull the policy nothing else and then we'll go for the our our uh with the azure ready account so if you have the high build azure ad join in the production obviously your machine will be in the domain and your account uh your uh is a hybrid azure edit joined so if your account is part of the hybrid as you already joined then you should have to log in with that account but in my scenario i have the ajuridi and the local account so i don't have the hybrid azure concept here and let's test it so first i will pull the policy here on this device and once the policy reached to the machine then we'll go for the on this windows hello for business and even we can uh we can uh do the directly also so let's do the testing in the both the scenarios so that will be much more clear if we do in that way what will be the result if we follow the another way what will be the result so that will be like a perfect scenario so what i can do i i logged in in one machine with the local account which is not going to work sure and uh in the another account another machine and this machine i'm going to use by the on the cloud account so let me go here and just log off this machine this test two machine intune two machine is logged in with the local admin account and this machine uh we are going to log in with the our cloud account so we'll see the difference how how it's going to work so let it sign in so okay so now we are ready to log in let me go here and used by the cloud account this machine is already part of our uh azure account uh in the intune so let let me bring the username here i'm going to use this account let me see if i can paste it no okay so it's hard lunch okay hard punch at the rate once in tune dot and let's put the password and in the another let let's complete this scenario so once you log in with your the cloud account on the machine what will happen and when you log in with your local account so what will be the result so let's test it in both the way okay so it's giving the machine it's might take a minute and uh let's see what and all it will shows us okay so once this window is ready uh let us go for the this our another test machine and let's do the sinker for the policy okay so okay let me work on this machine and let me update the policy because easily we log in we didn't get any of the pop-up and all so now let me go here with the accounts and let's check the first sign in okay let it open it's taking some time now so here you can see only the two option is still windows hello has not activated on this machine so let us sync the policy or if the user rebooted the machine then it will automatically implement or it based on the interval also it will implement the policy so let me go here and just sync the device it was synced on the 552 only but anyway okay so in this machine in the by the another test machine already we have uh it's like a use the windows hello uh with your the account so your organization required to set up the work or school account when the hello face fingerprint or the pin so let's go and just setup it and now it will ask for the authentication okay so i got the authentication password let me approved okay it's done so now it's going to activate your windows hello for business on this device [Music] okay so now we got the pop-up uh to set up the pin new pin and the confirm so if you want to include the letter and symbols so we can use it so let me put a pin i'm going to create a pin for this and now let's click ok if you want to use only the numbers you can use it so our one machine is almost ready uh with the windows hello for business and uh this and okay all set your pen has set it now click ok and now we are code so how we can test it just let me go and see on the settings whether all sad or not so you can just go here let me go to the accounts and you need to go to the sign in option and here you can see in the windows hello business as activated so windows hello face fingerprint the pin security and these so now uh this is like a face if you click here and this could not be uh the camera compatible with the windows for hello faces could not look okay so i am in the lab so i cannot set up this and this also i can set up it so once you are in the your office or in the production in the production environment then you can do all those things so let me test one more thing let me log of this okay something goes wrong windows are logo double f log off i taking two machines for the testing because if the one machine is having problem so i can show you the on the another machine but if you seen it this machine still is the sync up is going on i'm not sure why it is going on i have to fix that issue am be taking some time but at least we have the one machine to work on this so now here if you see nets now it's asking for the pin okay so what the pin we have set up that pin we can provide the fingerprint and the face reorganization is not set up because uh we are in the lab environment if you want to use the local sign in you can change it here and you can go with the username and password so now it's prompt password and if you click here it will go for the pin so and you can use the both the methods so now let me put the pen and now it's getting login and this is having like some problem so i don't know where it got stuck but uh we are good with this machine so guys uh thank you for watching this video uh see you soon in my the next video uh please subscribe uh my youtube channel and you can like for the videos so thank you guys see you soon in my next video

hello hi guys my name is sarwansh and thank you for watching my other entrant tutorial videos so today&#39;s video we are going to talk about the windows hello for business like uh what is windows hello for business how we can configure it and how we can test it in our lab environment so let me start this video okay so here is something i write about the windows hello so windows hello is windows 10 biometric authentication system which allows user to sign into their device using the facial recognition and the fingerprint that has and the pin so basically this is a secondary level authentication which is uh uh which will give you one more authentication level like when you log in on your windows so that is a username and password and this is the next level authentication where you require your fingerprint or the face recognition and the pin so the data for these is stored on the device so data will store for your fingerprints and your the face recognition so the data will store on the device itself rather than transmitting to the authentication provider like as you ready so this authentication date this authentication data will not be saved on your azure id it will be stored on your local device so add is as more secure than you are the password so if any attackers would need a device if any attackers want to attack on your machine uh then easily he cannot attack because it&#39;s needed device why because you&#39;re the face finger and has locally it has stored your data so now let&#39;s understand what is difference between the windows hello and hello for business so windows hello is a unique to the device on which is set up but uh but can be a simple password has depending on the individual account type and the windows hello will not be backed up for your the public or the private key or the certificate authentication and the individual can create a pin or the biometric gesture on your the personal device or for the convenient and sign in then the windows hello for business which is configured by the group policy or the mdm like the intune and always used the key based or certificate based authentication so this make it much more secure than your the windows hello convenience pin so let me give you a perfect example for this windows hello and hello for the business so when you are configuring the locally means you are not using the gpo or the mdm to activate your windows hello uh on on your machine then it will comes under the windows hello when you use the guru policy or the mdm then it comes under the business windows hello for business another example is like windows hello can activate on your the personal home device but your the windows hello can be configured on your the office or with your domain based so these are the two major difference now let&#39;s understand the workflow for the windows hello for business so it is required the windows 10 and 11 version below version it won&#39;t work but uh in the windows 10 also there is a minimum os required like 1608 i think 1607 so that is the minimum os requirement when you used the hello for business and guys it&#39;s a very simple to understand the os version so os version will support when your device is enrolled into 80 so if you have less if if you don&#39;t have the compatible version or the required version to enroll in the 80 so uh then your machine won&#39;t be enrolled and it won&#39;t show in the windows uh sorry it not sold in the in tune so it&#39;s very simple if your device is already enrolled into in tune then obviously it will work next thing is machine should join into azure active directory on premises or the cloud or cloud cloud in the sensor azure active directory so if you uh if you are using the cloud like azure ad then your machine should be part of azure already joined high or hybrid azure ready join or the register azure ad registered so when you join into or when you join a device into azure id you will be using one of the method out of these three now device registration so device registration is a fundamental prerequisite for the windows hello for business so you should have registered your um windows into in tune until you want to be activate your windows hello for business if it is not registered in azure ready or in tune so without registration windows hello for business provisioning cannot start a registration is where the device register and the identity with the identity provider okay so it&#39;s it&#39;s very plain and simple if your device has not registered in in tune you cannot uh activate your when uh windows hello for business now let&#39;s understand what is the provisioning so provisioning is the when user uh user uses the one of authentication of to the request to a new windows hello for the business credential or the typically the user sign into a windows user name and the password the provisioning flow required a second factor of the authentication because it will create a strong two-factor windows authentication so now let&#39;s move it to the authentication uh which the device register and the provision completed the user can sign into the windows uh using the biometric or a pin so pin is the most common gesture is available on all the computers unless the on the restricted by the required tpm so the pin will be available for all whether you uh use the biometric uh whichever biometric methods you use and the thing is pim is not stored on the local device but your the biometric like your face recognization or your the fingerprint that will store locally now create a uh a counter okay now this is the user here when he login into unlock the windows and uh it&#39;s identity the container pin or the bio uh then it will create a counter uh provis identity then it will go to the your azure id and the second thing create a trust so when you log into your device with your pin or the biometric then it will create a trust my the unique trust my unique or the authenticate by the validating this signed request then it will go to the azure id then azure ready will provide authentication token then your device will be getting login so that is the flow how the windows hello is going to work now let&#39;s understand the biometric sign in so we have two types of biometric sign in one is a face facial recognization so it&#39;s very simple like when it recognize your face and that camera is using the ir lights so ir light is something which is detecting uh the living person is a alive or or it&#39;s a picture so that ir technology included with the facial recognition and the fingerprint recognition also to your device is having a space to or for your the um the fingerprint reader and once you uh once you keep your finger on that fingerprint reader it will read your fingerprint center it will allow the sign in now this is like a policy where we are going to create a policy uh for your identity protection so identity pro and then we&#39;ll configure our the windows hello for business and this is something uh the output when the uh how the user looks like this uh that window uh activated with the hello for business so now let us move it to the practical session and uh we&#39;ll create a uh identity policy in our in tune then we&#39;ll deploy to the test machine and then we&#39;ll test it so let&#39;s move it so here uh we have two machines in our console so let&#39;s go to the devices and uh on the devices we have like uh configuration profile and uh under the configuration profile we can click is a create profile so once you click here we&#39;re going to use a template to create it so let&#39;s open it so now here let&#39;s select the windows platform windows 9 letter and here is template and under the template identity protection manager so let&#39;s select and create it okay so now let&#39;s provide the policy name it&#39;s a windows hello i can say for the testing now click on next now we have to enable this windows hello for business so here is a requirement like the minimum length if you move in the icon iconic button so it will give you the range like the minimum 4 and the maximum 127 digit you can provide so the password length can be four to um i can put four to uh 127 and the maximum length can be the uh it&#39;s like range minimum four to one uh 127 so let me put it like eight digit or i can put the 10 so maximum user can put the 10 digit and here is the lower case yes allowed upper case can allowed the special character can allowed the pim registration so pim registration like every two month user has to update his password or based on your the company policy you can set up this and now here is a remember the history remember history is used when you reset your password like what was the last password so you can keep uh same password and when the password is expired so last three i can give so i cannot use last three password um which already in used was used enable the recovery key yes enable use the tpm so tpm i don&#39;t have as i am in a lab environment uh that can be possible with the physically lab so let it be allow the biometric authentication yes i can do but uh we cannot test this as well the biometric because it&#39;s a vm then uh the anti-spoofing when it these are not at all required for me on the lab now let&#39;s create this and uh now assign the group where we want to deploy this policy and uh already i have created a group and i added our two test device in that particular corrupt so okay so here is i created a windows hello group that is for my the testing okay i&#39;m sorry okay just select it and the policy will post on these collection device these collection machines now here the rule i don&#39;t want to assign any rule and now let&#39;s create it so now we are good with our policy and uh then we can now we can test it on the end user device uh when the policy is synced on the end user device then then we can do the testing so let&#39;s move it to the device so this is the my the first device why it is login with the admin it should not be the admin this device is having let me pull it little down and i have another device here let me keep it here okay so let me login with the first with my the local account and just to pull the policy nothing else and then we&#39;ll go for the our our uh with the azure ready account so if you have the high build azure ad join in the production obviously your machine will be in the domain and your account uh your uh is a hybrid azure edit joined so if your account is part of the hybrid as you already joined then you should have to log in with that account but in my scenario i have the ajuridi and the local account so i don&#39;t have the hybrid azure concept here and let&#39;s test it so first i will pull the policy here on this device and once the policy reached to the machine then we&#39;ll go for the on this windows hello for business and even we can uh we can uh do the directly also so let&#39;s do the testing in the both the scenarios so that will be much more clear if we do in that way what will be the result if we follow the another way what will be the result so that will be like a perfect scenario so what i can do i i logged in in one machine with the local account which is not going to work sure and uh in the another account another machine and this machine i&#39;m going to use by the on the cloud account so let me go here and just log off this machine this test two machine intune two machine is logged in with the local admin account and this machine uh we are going to log in with the our cloud account so we&#39;ll see the difference how how it&#39;s going to work so let it sign in so okay so now we are ready to log in let me go here and used by the cloud account this machine is already part of our uh azure account uh in the intune so let let me bring the username here i&#39;m going to use this account let me see if i can paste it no okay so it&#39;s hard lunch okay hard punch at the rate once in tune dot and let&#39;s put the password and in the another let let&#39;s complete this scenario so once you log in with your the cloud account on the machine what will happen and when you log in with your local account so what will be the result so let&#39;s test it in both the way okay so it&#39;s giving the machine it&#39;s might take a minute and uh let&#39;s see what and all it will shows us okay so once this window is ready uh let us go for the this our another test machine and let&#39;s do the sinker for the policy okay so okay let me work on this machine and let me update the policy because easily we log in we didn&#39;t get any of the pop-up and all so now let me go here with the accounts and let&#39;s check the first sign in okay let it open it&#39;s taking some time now so here you can see only the two option is still windows hello has not activated on this machine so let us sync the policy or if the user rebooted the machine then it will automatically implement or it based on the interval also it will implement the policy so let me go here and just sync the device it was synced on the 552 only but anyway okay so in this machine in the by the another test machine already we have uh it&#39;s like a use the windows hello uh with your the account so your organization required to set up the work or school account when the hello face fingerprint or the pin so let&#39;s go and just setup it and now it will ask for the authentication okay so i got the authentication password let me approved okay it&#39;s done so now it&#39;s going to activate your windows hello for business on this device [Music] okay so now we got the pop-up uh to set up the pin new pin and the confirm so if you want to include the letter and symbols so we can use it so let me put a pin i&#39;m going to create a pin for this and now let&#39;s click ok if you want to use only the numbers you can use it so our one machine is almost ready uh with the windows hello for business and uh this and okay all set your pen has set it now click ok and now we are code so how we can test it just let me go and see on the settings whether all sad or not so you can just go here let me go to the accounts and you need to go to the sign in option and here you can see in the windows hello business as activated so windows hello face fingerprint the pin security and these so now uh this is like a face if you click here and this could not be uh the camera compatible with the windows for hello faces could not look okay so i am in the lab so i cannot set up this and this also i can set up it so once you are in the your office or in the production in the production environment then you can do all those things so let me test one more thing let me log of this okay something goes wrong windows are logo double f log off i taking two machines for the testing because if the one machine is having problem so i can show you the on the another machine but if you seen it this machine still is the sync up is going on i&#39;m not sure why it is going on i have to fix that issue am be taking some time but at least we have the one machine to work on this so now here if you see nets now it&#39;s asking for the pin okay so what the pin we have set up that pin we can provide the fingerprint and the face reorganization is not set up because uh we are in the lab environment if you want to use the local sign in you can change it here and you can go with the username and password so now it&#39;s prompt password and if you click here it will go for the pin so and you can use the both the methods so now let me put the pen and now it&#39;s getting login and this is having like some problem so i don&#39;t know where it got stuck but uh we are good with this machine so guys uh thank you for watching this video uh see you soon in my the next video uh please subscribe uh my youtube channel and you can like for the videos so thank you guys see you soon in my next video

Transcript for:Windows Hello for Business Tutorial

Transcript for:
Windows Hello for Business Tutorial