![]() ![]() It should also be noted that in ANY of these configurations, the user can still choose the password option and sign in using their cloud password without second factor. Since the security key PIN can just be numeric, that does make users prefer it and harden the security. I have not yet found a way to disable the PIN failback for Windows Hello, other than just using very strict requirements for it to contain special characters, uppercase letters, symbols, etc, and maybe be really long. The downside of this is that users will just configure the same PIN for both and not realize the security benefits the key provides. However, with a FIDO2 Security Key, you must configure an actual PIN number and type that in and then touch the key for it to work. This isn't required for facial recognition or fingerprint readers, though a PIN still needs to be configured on WHfB for failback if those authentication methods fail. The other thing is that none of the above methods are really "passwordless" - they still require a PIN number to be configured on the security key for Windows Hello for Business to work. ![]() Really hoping this gets easier in the future, but this is where we are. In either case, AD Connect is a hard requirement, as is that the computers are Hybrid Azure-AD Joined. There are two different methods of deployment and you should read the documentation fully before choosing one or the other. If you are trying to do Azure Hybrid-Join with Active Directory and enable WHfB, hold on because this is going to take some advanced configuration. Answer a few questions in the configuration in Intune and off you go. It's fairly simple to setup using MEM Intune in a Azure AD only setup. Now that's out of the way, let's talk about WHfB. Windows Server and Active Directory have no support for second factor authentication without either 3rd party software, or using Azure Active Directory. ![]() FIDO2 is only supported a second factor authentication purely when WHfB is utilized. There are still some 3rd party holdouts that use replacements for MS GINA to force their way onto the login screen, notably a lot of fingerprint readers from HP/Dell/etc, and also notably RSA SecureID. So, Windows Hello for Business was Microsoft's answer to second factor authentication on Windows 10/11. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |