WebSSO: Windows Hello for Business with Enterprise Active Directory bound Windows device setup

Article Intended For

Penn State IT Staff.

Introduction

Windows Hello for Business is a feature of Microsoft's Azure Active Directory and Microsoft Multifactor Authentication. It is considered a passwordless phishing resistant strong authentication method. It is approved for use with ATOs and Windows bound Enterprise Active Directory systems. This does enable PIN, Fingerprint and Facial Recognition

Requirements:

• Windows 11 and 10 version 1703 or later, Server 2016 or later.
• Windows machine must be bound to the University Enterprise Active Directory
• An Enterprise Active Directory security group you will use to assign policies to the computer to enable Windows Hello for use.
• An Enterprise Active Directory security group you will use to enable the user to use Windows Hello for device logon.
• Is Hybrid Joined, If unsure or need to request hybrid join, follow this link to Hybrid Join ServiceNOW KB here.
• Machine MUST stay connected to the Global Protect VPN during this entire setup and configuration and must periodically connect to global protect or access could be lost.
• Facial Recognition requires a camera to setup and authenticate.
• Fingerprint Recognition requires a Fingerprint reader.

Step-by-Step Instructions

1. Submit a request to WebSSO team to leverage Windows Hello for Business for Sign-In WebSSO general request form. Select Windows Hello for Business.
   
   1. Provide the User and Computer EAD security groups that should already exist. If not you will need to create these defined above.
2. You will receive a response that the groups have been added to the appropriate GPOs
   
   1. Please allow 1 full day for the policies to fully apply to the computer

User Directions: These are generally for IT staff reference. 

1. Login into your Windows Desktop or Laptop system normally with username and password
2. Connect to the global protect VPN and verify it is connected.
3. Select the Windows Start menu and type "Sign-In Options"
   
   
   
   
4. Click or select Sign-In Options to launch the Sign-In Options control panel.
   
   
   
   
5. Select the Windows Hello Sign In Option you wish to leverage and that is supported by your system. Some systems do not support Facial recognition, or Fingerprint or PIN without additional components. Please check with your IT staff if you wish to leverage a non-working method on your system

Facial Recognition setup:

1. Select Facial recognition (Windows Hello)
   
   
   
   
2. Select Setup
   
   
   
   
3. Select Get Started
4. Verify your identity with your authentication credentials, our example uses username and password.
   
   
   
   
5. Your configured default camera will capture your facial recognition.
6. Once completed you will come to the end of the setup, You can choose to improve recognition or select close.
   
   
   
   
7. Once configured, to cache your windows hello for business sign in to use when off the any network on your device.
   1. Verify you are still connected to the Global Protect VPN
   2. Select the start menu.
   3. Select your user ICON and the option to switch users.
   4. Select to Sign In PIN option.
   5. Provide your Windows Hello for Business PIN
   6. This will cache your windows hello for business PIN for offline sign ins.

Fingerprint recognition setup:

1. Select Fingerprint recognition (Windows Hello)
   
   
   
   
2. Select setup, a dialog box will popup "Windows Hello Setup
   
   
   
   
3. Select Get Started
4. Verify your identity with your authentication credentials, our example uses username and password.
   
   
   
   
5. Scan your fingerprint.
   
   
   
   
6. Once scanned you will receive a message, "All set!".
   
   
   
   
7. Select Close
8. Once configured, to cache your windows hello for business sign in to use when off the any network on your device.
   1. Verify you are still connected to the Global Protect VPN
   2. Select the start menu.
   3. Select your user ICON and the option to switch users.
   4. Select to Sign In PIN option.
   5. Provide your Windows Hello for Business PIN
   6. This will cache your windows hello for business PIN for offline sign ins.

PIN setup:

1. Select PIN (Windows Hello).
   
   
   
   
2. Select Setup.
3. Verify your identity with your authentication credentials, our example uses username and password.
   
   
   
   
4. Set up a PIN. Select the Blue Option PIN requirements to verify you are following the University security requirements for PIN complexity or you will receive an error.
   
   
   
   
5. You will be directed back to the Sign in options screen.
   
   
   
   
6. Once configured, to cache your windows hello for business sign in to use when off the any network on your device.
   1. Verify you are still connected to the Global Protect VPN
   2. Select the start menu.
   3. Select your user ICON and the option to switch users.
   4. Select to Sign In PIN option.
   5. Provide your Windows Hello for Business PIN
   6. This will cache your windows hello for business PIN for offline sign ins.

Known Errors:

PIN setup error: Provide a PIN that meets the complexity requirements. Your PIN must include at the following.