Implementing Windows Hello for Business at Microsoft
Hello. And welcome, to this IT showcase, webinar. I am, recon hire a business program manager with the IT showcase, team and today, with me I have two experts, who are here to discuss how Microsoft. IT implemented. Windows. Hello for business so. Hello. And welcome both Dimitri's and Mike why, don't you just introduce yourself hello. My, name is Dmitry I work, for my Christine, our internal IT department. Tasked. In the last few months for deploying. Windows below for business internally at Microsoft, and. I'm Mike Stevens I'm a Senior, Program Manager with. Welcome. Again so. Before we get started with this session I do want to remind, everyone. Who has joined us today that, you can ask us questions during this session we, also have, some time towards, the end dedicated. For just questions, but you, don't have to wait until then you can send us your questions any time and I'll ask you them as they come as well we, also have a couple of questions, for you on bing, pulse so, please do take a moment to, answer that and. We. Will also have this, webinar available, to, you in a. Few, weeks on demand, so if you have any colleagues, who. You would like to share this content with please, feel free to do so so, with that Mike, why don't we get started sure so. Today's. Agenda we're, gonna start off with just, a basic Windows, hello for. Business overview and kind of give everybody a feel, for what that is and, once we're done with that overview we. Intend I'll I'll hand it over to Demetrius, and he'll actually talk about the specifics, that Microsoft. IT did in their deployment. Of Windows well for business good. And we've done, this for no, almost a year you said you've been on the. And. We've done a couple of deployments, already so so very excited to hear what it is dimitra's take it away, so. The. First thing we want to do is let everybody know who's, who's, out there watching is that Windows, low for businesses not necessarily, new it's, been a little bit of a rebranding structure, here to where it was formerly called or soft passport, or Microsoft, passport for work so, we have now actually. Rebranded. It to Windows Lowe for business so that it matters, so. That it means more more. Benefiting to our Windows hello brain so, with that we first introduced. The. Deployment. Model that Microsoft. IT deployed, in November. Of. Last year, with. Our Windows 10 November update and the. Whole point of this is to move people away from passwords. Passwords, or weak passwords, are not something, we want people to do the replayable, so the idea here is to give them a strong user credential, that isn't replayable, that, they can use and then, tie it to some really cool features like biometrics. So, the, strong, point of what makes Windows hello really, cool and beneficial, is that we, use keys and those, keys are protected, by a security. Device known as the TPM in most modern computers so, this way those, keys are generated on, that computer they can't move to another computer, so they're secured, in that computer so if we make one on this computer, it can't be replayed to another one and that's the security property, we have but, the great thing about it is the user experience it's just like is if you were using a password or if people are familiar with like virtual, smart cards or physical smart cards it works the same way that way as well so. Again. Some of the great features about it is is with passwords, we have this passed the hash attack that has been ongoing that Microsoft, has been completely. Trying to drive out of the market and so moving, to strong keys helps, us, helps. Us accomplish that the. Other great thing about it is in the hybrid environment which is what Microsoft, IT deployed, is we. Can do a single sign-in to both resources. In Azure Active Directory and the on-prem Active Directory so the user would sign in with their Windows hello and they're instantly authenticated. To both and they should not see very many prompts when they go to either resource, and I've been using it for months now and it's been a great experience so far so yeah, it's it's really cool to just sign in and then be able to get your work done. And then the great thing added, value is if you have a camera, or a fingerprint, sensor you're not typing in a pin at that point you're actually using, facial recognition your, finger and. Then you just sign in that way which is a really cool feature to have for the end user makes it signing in and, we, also in, Microsoft IT and I think Dmitrich you're gonna cover this a little bit more sweet and use it for VPN, so you, can actually when you sign in with Windows hello that, can also do your authentication to VPN as well so it's a really cool feature we're.
Really Glad to have it in Microsoft. IT and it's really working out pretty good and. Great and great points because you know it's it's so much of that user experience right, it's across all the different resources, that we try to access. In a day and so yeah I've, enjoyed it so far great. So. Let's move on with service, components, and how we actually deploy that at Microsoft 18 so, three. Main pillars are the directory. The. Directory infrastructure. Which consists, of Active Directory and Azure, Active Directory the. Piku infrastructure, which where he had deployed, in Microsoft so. We leveraged this one in, order to. Simplify. Our deployment, and of course management pieces where, the actual. Enrollment, happens. For the pen and the certificate, same, terms of transition, though so we've had passwords, we've had smart, cards, and then now it's kind of a natural, evolution. To the next type. Of authentication because, we've had them together correct, yes and we've, been using physical. And virtual markers, for a long time at Microsoft, so, and, as Mike said it was a natural. Evolution for us to go from virtual. Smart for example to. Notepad. For sorry its hello for business so, it was a natural evolution because, to the user it seems kind of the same there's no real difference other than the, icon that's being used to. Differentiate. The. Credential. So. Speaking. Of the, surface component that's doubling. Two, directory. We, can for social management a little bit, so. We've, been using the on-premises, active directory that we already have of course and we. Have used over also azure ad Connect, in order to connect our on-premises. Active Directory to. Azure Active, Directory, which, is required for a. Lot, of things one of this is the, device registration. Or company. Devices are registered with Azure ad and there. Is a synchronization also, between on-premises. Active Directory and Azure Active Directory. On. PK infrastructure, we also have two, components we, have the, certificate. The certificate authority, component. And the registration authority component, so, the registration, authority component, is handled by n des which, is a service that can be found on Windows Server which. Basically handles, the certificate, issues and renewal on behalf of the clients, and the backend, we can say our certification. Authority AG certificate, services handles. The actual issuance, of the, certificate to. The user of. Course. This is done by a management, interface by management. Infrastructure. Which includes. Microsoft. Intune, and configuration. Manager 1606. Kapil. With the. CRP component, certificate, registration, point component, which is actually, the component that handles the whole certificate. Enrollment end-to-end, for the user. Of. Course there's some, group policy that handles. Some. Components, of the pin policy, and. Some. We're, enforcing also, TPM. Usage, which we're going to cover also later as well as some pin length and. Complexity. Requirements, that we're using in Microsoft ID. Let's. See how the service, works so. Devices. Are first register, with Azure ad in the background, using a GPO we've been using a GPO for a long time to. Do that for. All Microsoft, ID devices, so, this is kind of a component that's not really, visible to the user it happens in the background the user doesn't know anything and doesn't need to know anything this, is like a preparation, for, correct. Yeah this is this is a prerequisite, yes for devices, right. And, then we have again. Using a GPO we, deploy. Configuration. Management configuration, management client, 1606, at this point which is also, require filling just go for business the latest version of configuration, manager so. The client itself gets deployed by GPO the Cline lands, at the. The. Users device. There's. A policy actually actually two policies there come down to the pine and these. Pulses, are the ones that being, used to, handle. The whole, issuance, piece off are. The pen of the windows although for business pen so. Configuration, manager after the policy comes down, checks. For prerequisites, we're gonna see later on there's some prerequisite, for the client to be able to get. A pen and, of. Course, after the prerequisites, are met enables. Pen creation. So. At next sign in the the, user will. See a whole. Full. Window experience, which will require pen, enrolling full, screen experience which will record of in enrollment, so the user will choose the pen at this point and. After. The finished sets in the background that's gonna be certificate, enrollment happening, where, the certificate, the, needed certificate, which as we said looks like a sparker to the user is gonna come down to the device and, this.
Is The, end of the workflow where the user now has a pen and Associated. Certificate, with, it so, this so, there's something that happened to the background and then there's something that the user has correct so the the. User experience is mostly, where he's, asked about the, pen to creating your pen yeah so there's a window saying you, notice on your pen now you. Click OK there's a pen window coming, up say you just put, your funk, you enter. You can you pin there twice, and, that's it yeah, that's the provisioning, flow so what Dimitri's is talking about is is basically when. All these prerequisite, are met the, user gets this really nice fresh provisioning. Flow, right. At the time when they login it's very contextual, so, it's not jarring in any way and it has a nice message that says hey your organization, wants you to create a pin you type in your PIN it'll. Then go ahead and do some key registration. And background like Dimitri said and then you'll get this certificate and so, the one thing I wanted to point out is the reason why we use pin is pin is is easy windows hello modality, pin is the gesture, that you provide to unlock, access to that key pin. Is the most common mode out because it doesn't require hardware or a specific hardware, you, can use biometrics. And then in that case you would use your biometrics, but your pin is a fallback mechanism. For, some reason you cut your finger so forth you can't sign in with your biometrics. At that point you can still fall back and use your PIN and you're not going to password, Oh. So let's see some lifecycle, management information. Now, what happens with renewals, there's uh you know a lot, of pain points in renewals, for virtual, smart grids physical smart cards. Pop-ups. And all this stuff this, doesn't, really apply to Windows well for business ring yields happen, automatically, in the background again, users. Don't have to do really anything, so. The user experience is great in, the renewal front. So. This is one of one. Of the good things we've seen a Microsoft IT with hello for business that you know we users, don't really have to care when, their potential, expires if, they have to do something really. Nothing the user just said, sir there. Is a certificate The Associated certificate, gets renewed. And. That's also the same experience. That we had when we had smart, cards I mean you'd have yeah, I so it's pretty much true for people if you're used to that then you kind of see the, smart card experience was a little bit more disruptive, because what would happen is is it would ask you for your PIN yeah, so you would actually get a balloon in the background, on the bottom, this, wonderful, balloon that people will click on and then it says hey we need to enroll you a new server renew your cert I think is what I said and then it would ask you for your PIN right in this case.
What Dimitri's talking about is we've kind of removed that away from the virtual smart, cart where the, certificate, just renews, on the user they don't even get interrupted in their workflow. We. Do have one question here so how do you tie, Microsoft. Hello into applications. That do not support, PKI. Authentication. How. Do you tie Windows flow into applications, that do not support PKI, outlook so in this particular case windows, ho would, not be able to tie into those applications. What we do have for the applications, that do support like a smart, card authentication yeah. Windows hello has kind of what we have two to, eight ways to interface and it has the Windows hello interface, where you can get a biometric, prompt, but, we also knew that we needed to be backwards compatible with a lot of applications, that knew how to smartcard, right so, we, also have a way to wear windows hello can be seen by applications, as a smart card so if you have an application and. It, knows how to interface with a smart card windows hello will pop up and look like a smart card you won't be able to use biometrics, and that may in, that particular scenario but you would still be able to type in a pin very similar to smart card ok but as far as just a regular key, authentication in, that particular case windows low it doesn't keep. Things have to be enlightened in order for that authentication to, work okay all. Right moving. On for lifecycle, management, relocation, but, basically rotation, is. The. Disablement, reuse certificate, the stopping. Of using, a certificate, because of some kind of usually, security. Issue, we, don't want the user to have anymore, the, ability to login with a pin so, reputation. Is something that we can do as. Well as we, could do with a physical, markers. In virtual smart cards this happens again at, the certificate authority. Service. Or we can also do that through configuration. Manager that's Sen. Reporting. In metrics so. There. Have been we. Have. Being. Using hello for business for the last one year and so we wanted that Microsoft ID to see how, it progresses you, know the success rates if the users have any issues, if something's, going wrong if, we can you know understand, what. The. The the small amount, of user that could not get a Windows hello for business credential, so, what we did was we created custom, reports, actually created, we first, created custom telemetry, that let us understand. What these, issues we're at. What point and we could then go back to per group and you know ask for some help on on, this cases so, these were actually very useful because it, uncovered a lot of issues that we. Together with a PG we. Fixed them now the. Experience has become even better in in the recent version Windows. Windows. 10, anniversary. Update we. Also have custom reports coming. Out of the telemetry which shows the success rates, shows. Us you know the amount of users in each update. And how, you. Know each update handles. Success, so of course we see better success with the, recent, Windows. 10 anniversary. Update right now and I noticed, that too in terms of just the experience, now I I didn't, know prior to the anniversary update.
Of Close but yeah. Post that I mean it's been suddenly very different because the number of issues versus, what it is right now right yeah. The I. Think the anniversary, update has been a great. Success for Windows oil for business we've made a quite, a bit of optimizations. In our TPM, performance. And how we access the TPM how we use it we've done some great work with the configuration, manager, team in optimizing. The certificate, enrollment and, getting that and to be get a little bit more timely, fashion and, so forth and so and, then we better, the admin experience I think deploying, the latest. Version with a 16. Of the anniversary. Update is a lot. Easier. And. To, finish with reporting and metrics you also can get reports, out of configuration. Manager as well as into. They. Have you, know reports. They have databases, where you can just look. Into some. Amount of the information we're also collecting, the difference with our telemetry is that our telemetry is handled directly at the client level so, we have more information on, the client level other than you know just for the certificate, enrollment parts, or you know flipping creation parts yeah. So. Let's look, at the deployment, we had at Microsoft, so. We. Rolled out hello. For business I think it was called passport, for work back then to, a hundred, thousand, plus users, at. Once so, it was a global enablement, and. All. Employees, uh as. Well as vendors who had a virtual smart, card a physical smoker, or phone off could, enroll for a pin because as we're, going to see later we require two-factor, authentication because this is a strong credential, required. To factor authentication for, user in. Order to get. That credential. And. We cover of course over, in Rome enrollments, and errors who have here at Microsoft which. Include of course domain join devices a sure Active. Directory join, device as well as in tune and all devices so I like. Bring-your-own-device, scenarios. As. Well as you, know. Court, scenarios. So. Uh let's, take a look at the architecture. We have at Microsoft, for, Windows a little for business. As. We can see we have Windows. 10 anniversary. Update devices, where the domain join as I said or not that. Are registered, in Azure Active, Directory, which. In, turn is connected is, is. Using. Azure Active Directory, connect. To. Connect. With our on premises, Active Directory of, course we're also using a TFS for Federation, as well as your using application. Proxy. Here, is the configuration, management part, you can see that we're. Using configuration. Manager with specific. Windows who lo for business policy so configuration managers. Right now in version 1606. We've. Been deploying, a specific, windows hello for business policy, that enables, users to get a pen and the Associated certificate, and we also using the certificate, registration, point feature of, configuration. Manager that lets users actually. Let's. The system, actually handle, certificates. To users I know. Of course we're also using ancient for, bring-your-own-device. In areas, with. Of course again. A certificate, policy that, deploys. A, supposed. Certificates, on behalf of the users, and. Here's the backend infrastructure, we have the public key infrastructure, we're. Using an, issuing. Certification, actually, we're using more than one issuing, certification, or certificate, authorities, that's. In the back end for lesions, of the certificates. And we're using end s, with, a specific configuration, manager policy module that. Handles. The issued, certificates to, the CR P to actually to the users after it has given. The thumbs up from the CRP, endpoint, of, configuration, manager now, this is a pin complexity. Center the. Pin complexity, right now is, set in the Windows hello for business policy so in the new version of 1606, of configuration, manager you can set all pin complexity.
On. Pin. Complexity, policies. In. Specific, configuration, management a configuration, manager, policy, so this one handles, everything from the enablement, of the credential, itself so if the user is going is going to. Get the credential up to. Policies. And if. The TPM is going to be you so everything, is in that policy that's one-stop, shop for the. Administrator, to set the policy for a window school for business okay so we have a quick question here are, there, two management, consoles, to manage certificate. Renewals, and revoking. The. Renewal, part just happens, the. Way that you configure certificates, in. Act. In our certificate, services the template, you, have the lifetime on the certificate template, and then you have you can set a renewal period and so what happens is the, Windows 10 client, looks at the renewal period and then, basically, when you get in that renewal period that's when we start the Windows 10 just tries to go out and start trying, to renew the certificate, on your behalf because we, can't renew a search of it once it's expired you need a new one so we want to do everything we can to get that renewal but on the replication I know you said that you could do it through the contraction manager, correct I know you can do it through that's. Correct and that's nothing new you've always been able to do it there so maybe, is. There a special, interface, and config. That's. Probably. Second half the question would help on that I guess in other words I have, config. Manager and Intune management consoles, of portals, or is, this combined, in sixteen or seven I guess, we probably don't have a clear answer to that but in in terms of he said you can do it in the CAS CAS, we're definitely, you have to do it because you, you need to know what CA issued, that certificate, and. Then you need to look that certificate up and then there it's as it's literally, like a right click on the CA management, console, so. Basically you can do it at both points. This. It did at, the end it's a certificate authority that's, going to handle revocation, either if you do it from configuration. Manager are from certificate authority it's a certificate authority that's going to actually. Do the revocation at the end and if, you want to do it through configuration, manager, or engine you have to give the. Specific. Specific. Permissions, for the servers that handle this on the configuration manager, range in point to. The, certificate authority these specific permissions needed for vacation just an, additional, here is that can you provide a link or other resources, around config. Manager CRP. And I think we would have. People. Posted, actually and throughout the presentation. So I think, you have quite a few in fact. Yours. That make it available, all right but. Thanks, for putting this together as a diagram, by the way man there were so many components, it could look like very, a lot of moving parts right. And then just trying to put it all together so. Thank you for doing that yep. And. A. Few. Minutes ago we spoke about how, the user experiences, so we have a screen also of how the pen. Asian's. Experiences. And how the actual usage is so if we look at the the. Issues, work flow you can see that we have a full screen window that says set up a pen so this is what they use a secret, this. Is the beginning, of the provisioning, flow so this is all the orchestration, from the last slide Dimitri's just put through and it's now enabled, the, machine has received, that in able, Windows hello for business policy, on the next sign in this is what the user will see right after they sign into Windows correct, so, in. Windows, 10 anniversary, audition if you have met all the prerequisites, there, are two ways that this screen come up come up either you sign out of your device and then at the next sign and you have the full screen experience using, setup a pen or if.
You Have all the prerequisites again you can go to the settings of the of. The accounts and you will see that you're now enabled, to getting your pin and you can just click, the button and start the. Pin workflow, oh good so you can actually do it even from the account settings correct yes that's that's that's I think a new feature for a mouse thank you have a Windows 10th anniversary, update onwards, yeah it's, just that the settings part is a little bit very correct yes it's really hard to for users to see yeah, so, it's it's easier for an organization, just to you know roll that out and if the next logon the user can just go in creative or her own pen yeah, also. That for the issuance, port from the u.s. port you, can see that I have included, a a window, here that you can see it's just very easy. It's like a pop-up the, same pop-up you'd get for your password your. Physical, or virtual smart card it's just the icon you know that dial dial, pad icon that's different other than that everything, else looks the, same as it would with, any, physical. Or virtuous marker or even a password, you. Can see there are some details in the, screenshot. That for example the, name of the user the subject of the certificate is being shown the issuer which is the E string CA as well as the validity of the certificate. And. Of course if you click OK you have to enter your PIN how long does this take, just. Doing this little activity. Oh what's, nothing. Comes. Up you just put your in and. Just. Remember your PIN after that yeah yep, yep. So. After. We uh as. We said before we had a lot, of telemetry, for us to, understand. What were the issues that we were having, with, some. Users getting a Windows hello for business credential, and we. Have learned a lot and is that something want to share, so. Let's. Start seeing from the client side from from the device side what were the issues that we were usually seeing, with, hello. For business a, lot. Of TPM issues and this is not from you this. Is not new because we already had similar. Issues with virtual. Smart cards well yeah we have a big deployment, here in virtuous markers at Microsoft IT so already, have which of. Course is, the same in the sense that it, does, require a TPM like, hello for business, policy. Here at Microsoft also, requires the device to have a TPM in order to be deployed, so. We already have this issue in the past this is not something new but I'm. Just going to mention them here. It's. A dependency, correct it's a dependency in mind of thing you know it's something especially, in TPM, 1.20. EMS, handle the you know most of the hardware, part you know lock outs all this time these are not things we can handle with TPM, 1.2, so, sometimes. The users at the mercy of you know a lock out period, or some, some things that we cannot centrally. Manage or you, know do anything about. So. Some of the issues we saw with TPMS are all, the teams are just missing so whether we had devices, with Mel TPM so these cannot. Actually handle hello for business policy that we said in Microsoft I team or. The TPMS were there but not initialized, so for example if you have a TPM on your device you still have to go through the buy, settings, and enable it sometimes, it doesn't come enabled, from the OEM so you have to go enable, it sometimes.
It Was not done so this. Kind of initial. Issues, with TPM other. Issues we faced were local, policies as I said TPM 1.2, doesn't help too much about lockout, time. You need to, have your device in a usable state again is not something we can really manage. Cannot. Really do anything about it. TPM. 2.0. Helps in that respect this is more now. The. Policy is something yet that you can expect their specific. Lockout periods, and times so. This, but of course TPM, 2.0, is not yet, available. In, many. Devices but, I think that's going to change the next few months the, one thing I would want to add on that he's, corrected, within the product we've learned a lot about TPM, 1.2, versus 2 and, we can definitely say that the performance, gains that. We get in using TPM, are significant. Over TPM 1.2, so, we, really, as a lesson learning as a recommendation, anytime. You can use TPM, 2.0, it's a better experience overall, for, the TPM, it handles. Lockouts better as to meet your said where's 1.2, I often, joke that if you look at it wrong it'll lock out it's very very, quick to lock out it's very much honest security, it has a lot more user friction, there and it varies, between manufacturers, TPM, 2.0, is a lot more mature and, it has had, a few iterations to, go through so we definitely are seeing a lot more performance, improvements, in, TPM. 2o than we do with 1.2. Yes. I'm Mike. Mike. Is speaking about speed this is something no you you, don't we don't really see, and we don't really look, at it Microsoft I think because we you know we see their total success. So whether it takes a second for a TPM to respond or 10 seconds this is something we don't really have too much insight but you know my current program do have that inside they. Get that kind of thing, yes I mean the, goal for Windows flow for businesses, to have, the password, experience, so if I sign in with a password, and I get to my desktop in 3 seconds, that's. Great now, if I sign in with this really cool thing but it takes 10 seconds, or ESO, say it takes 5 seconds that's a digression. You know we're degrading, that user experience so we really need to try to do performance because, these are crypto operations. That are being obvious, gated from the user they don't really want to know what's going on the background but we're talking software's, going to hardware and then coming back out and all these other things so we really are optimizing. At the millisecond. Level of trying to make those, operations, as quick as possible so. Last. Thing is sometimes. Users, clear, the TPM or helped us you know advises, them to clear a TPM and that created some some. Friction with the windows low for business credential, it would be you know in a state that it would, be able to work or for sure if you clear a TPM the keys are there so if you're clicking if you clear your keys you have an issue so. That, is better handling now with we're, gonna see later on that's. Better handling now a windows same anniversary edition you know update. As well. We. Also had some pen, and certificate enrollment issues so. We. Need after. The prerequisites. Are met you usually need at least one. Sign. Out and sign in to, happen and you know what hard happens is that users, usually, set up in your device they. Do everything, you know all the reboots, required. At the very beginning or the log outs their sign outs and. Before. The prerequisites, are met so after. That the you just locks a device and you know goes home so there's never really that that sign up we need doesn't really happen sometimes, you. Need to wait like the last Patch Tuesday to, happen in order for you to reboot your device which means sign out of your device as well so, this.
Is An issue we're. Having with some users that don't really sign out yes, that affects the adoption, correct. Because. You have everything ready but that last action, that's, needed to trigger this workflows and happen so, another. Thing is that before Windows 10 anniversary, update we, also needed, a specific password. Signing, which means we could not users. Cannot sign in with a physical, or virtual smoker that would not enable Windows. Hello for business but that has also been fixed, in Windows 10 anniversary, edition. So an update so this is not an issue anymore. We, also had some problems finding prerequisites. You know the, prerequisite, we're not there the TPM was not there or the device hasn't, hasn't, been correctly, registered. With a do hasn't been registered at all for some reason you. Know these, are some these were usually, transient. Phenomenon, that mean that. Means that at. Some point it were fixed but they were still you know driving adoption at lower levels, than the ones we. Would like and. Some. Other pin, and certificate, delays sometimes, you know there would be some kind of, very. Big as we're going to see later very big, load. On our anti servers that you know would dog would. Defer. Let's say the certificate, enrollment for. Later period so. Oh, yeah, sometimes, yeah you know Monday morning. Which. Means renewals, you know you user signing in after, their reboots. Or whatever. So. Let's see some troubleshooting, we did for the issues we found for. Our Active Directory issues, as. We just said the device might not have been registered, correctly or it might not have registered this, might have been like, a GPO, issue because this is handled through a GPO so that might have been a GPO issue or that might have been a. Case, where the user just you know created, a device but didn't have any Corp connectivity, or, any connectivity at all you know just just got. The device at home set, up the device and. Other. Cases in and, this relates to the TPM clear we said before is that.
There's. An azure ad certificate, that has been handled to users to to devices when, the device is ready, where the ad so that private key was missing sometimes especially. After, TPM, clear actions so that would create an again an issue, even. If the pin was not there the prerequisite, as your ad stuff was not there so you cannot give an pen if. You're out of your TPM cleared or there were anywhere some issues, about your azure, ad private, key so this. Was all again the experience has, been much better in Windows 10th anniversary, update so, now there is a silent, way to re-register, your, device with Azure ad and that helps really, so. The user doesn't have to know that something, is going wrong in the background, so that's the advantage of doing it so early, that we got, all of that taken care of correct. In the animals we have been so all of these are what we had to go through but not necessarily, someone else would have to go to correct and the good thing with with our deployment, marks of these as we said before it's more than a hundred thousand users so. It's a big deployment, that you know it's, really. Makes. You understand all the issues that come up that. Wouldn't normally come up in a small. To medium sized. Architecture. Deployment. So this, was good yes, we're. Spanning. Thousands. Of you know tens of thousands of different devices we're doing laptops, for doing desktops, for doing phones so. I mean. Having. That much. Deployment. Surface, really. Exposes, a lot of stuff that, they, give us the product through back feedback and you. Know we I think we meet weekly, now and, we trade feedback, and we get that feedback when you look at ways that we can continue to improve windows flow for business oh. Let's. Go to pin to Roman issues so yeah if we consider that as your ad. Registration. Is done correctly the next step is to enroll for a pin right so we. We had some issues there as well. For. Example pre-existing, as we said before pre-existing, azure ad issues would not let you get a pin so we had to fix whatever a charade the issue was, under lying, this although you could go to the enrollment. Issues smart. Grid science as we said before Windows, 10th anniversary, edition anybody, signing in with a physical or virtual smoker couldn't, get pulled up for business credentials, this, was not enabled so again, this was fixed later on, one. Of the other issues we have been seeing. Is unhealthy, configuration. Manager clients so unhealthy could be could mean anything, it could mean a bad, installation, of configure, decline, could, be that the configuration manager, client cannot connect to the management point and receive the policy, it, could be that the policy, has come down but for whatever reason it's not evaluated. Locally so the user cannot actually. Get. A pin because the prerequisites, are not met. And. That's that, leads us to our next book which is network. Or Azure, in the intermittent, issues or, configuration, manager, network intermittent, issues so whatever. Happens, intermittently, in the network really, doesn't, help because at, that point your, climb might be checking. For prerequisite, or might be trying. To get a certificate so anything, that happens. In between as a network issue would really, create. An issue for hello, for business. So. Any kind. Of phone network, issues really affect our. Deployment. And. There's also an, error list and Technik where you can see all the errors that happen and during pin provisioning, if the pin provisioning, you know that full screen experience is, not, it's.
Not Successful you will see a specific error which there's. A very useful page techni. That you know. Will. Show you what kind of error that is if that's network related you know TPM, CSP, related whatever is a relation, no better to so that'll be great for troubleshooting. So, there's a quick question, how. Does the. Operational. Workflow, support. Look like from the hard disk view that. Is user, doesn't remember a pin or user. Has been on extended, leave and doesn't. Remember the pin. The, user experience here is again, very streamlined. And very easy, for the user so, the user can just go and reset, his or her pin through, the settings page okay and it's very, easy but. If they can get in because they can't remember oh you're saying oh so, so. You, can't fall back to password, yep there. Are policies obviously, that if you have those enabled that might prevent that but by default we still allow the user to fall back to password, so, they can go fall - using their password, and, once they get in there's a I forgot me link I forgot my pin link on the settings page that. Will allow you to go. Ahead and basically it'll, reset, you I believe. You'll have to you'll, do a two-factor, author a multi-factor, off so we prove that it is you who's resetting, your pin and then, you'll go through the provision, flow again and you'll just get reprovision okay, yeah and we. Also have other authentication methods, for example most of our users I have signing for phone off so, you can also do you know phone off if you do some kind of you want to do some kind of authentication to, a website or whatever. Continue, with troubleshooting the, last part of getting. Hello for business credential is actually getting the certificate. So. Again. Issues. We saw with this is usually login with a smart card physical or virtual again, that has been fixed we. Did that correct, that was like a year ago almost a year ago yes. Users. Are not corporate or VPN connected, so users, might have you know must have line of sight to our corporate. Environment, of course now we. Do have internet, connected. Internet facing. Configuration. Manager management. Points so we. Can use them but, before we didn't have them so you know users should have some kind of VPN. Connection, or Direct. Corporate connection. Again. Intermittent. Network connection errors and. Again configuration, management, health issues because it's. Again a configuration, manager that actually handles the, whole certificate, enrollment thing, for the user people but, if you have an unhealthy client, them it's not just passport, that correct not just windows hello at that point in time you know everything, has yeah, I mean all the things that you're relying on configuration, manager, are probably, not working it's, all set when you put. It in the face of authentication, that's. The thing that everybody wants authentication. Isn't working users. Know that immediately. Bubbles. Very quickly I can't sign in I can't do my work whereas, if. Configuration. Managers doing hardware inventory and, it doesn't work well, the guy who's checking the hardware inventory report. Will know that it didn't work with it doesn't affect the user anyway. So. Let's go to we've. Been talking, in the last few minutes about anniversary.
Update And what new things anniversary. Update gave. Us. Custom. Tasks are gone. So. What happens in this case is that during. The November update, when the hello for business uh first came out there, was no specific, error sorry. Specific, way of handling. The, the. Question when, is my computer ready to receive for, business I haven't met the prerequisites, so. We had to create some custom tasks in order for in order to trigger actually pin, enrollment and trigger certificate, enrollment, that. This tests are now gone because an anniversary update, actually in 1606. Configuration, manager we have everything, being handled by configuration. Managers nothing, we need to do. Nothing. No custom, tasks, to, trigger anything from our part so these are gone and this, is why if. You go back to our universe to our architecture. You're gonna see that we have now clients, required, being required to have an anniversary update, edition so. We can have all the latest, duties. That pull for business provided. So, we can have a better user experience. Again. As was had TPM clear actions now handled gracefully, if something happens with a TPM helped. Us requires. You. To clearly, TPM or something, is going wrong due to TPM and keys, are gone so this is handled, much more in a much more graceful way for. From. Hello for business part so, azure ad device registration happens. Again in the background and everything is. Reinitiated. For the user to, getting you hello for business credential. We've. Mentioned, that already several times you, don't have to have only a password, now in order to enable the hello for business workflow. You can log in however you like including physical. And virtual smokers, rights if you already have that it's. Just kind of plugs it in to. That. And. If you contain as much I think Mike is, more hahahaha. Yes, so. Before. The anniversary update, we. Had this notion. This is kind of going in deep inside, the. Architecture, of Windows flow as it sits on the client, we, have these. Things are called containers. They're logical, there. Were that they're basically how we protect the keys and. Before. The anniversary update we had two containers, one. That would basically, have, all your consumer, kind. Of keys it's. Like your Microsoft, account key, and then, we had the enterprise, container, now, the problem that we faced, with that and now both of these containers, are protected, by the TPM, so that's why we call them containers. The, problem is does that mean you had two pins. The. User feedback we got was two pins was just crazy lots, of friction didn't. Really work well now, you go, into settings and you didn't know which opinionated, you know we had this concept of work pen and, it just didn't really resonate well with end-user, so in. The anniversary, update we did what we called container. Convergence, so we've now merged. Everything. That was using. Two containers down into one container and we have one pin and then, all your keys are just put in there they're still secured, the same way we're, using the TPM, but, now you have one pin and that's the only pin you ever have to use whether you're going to a Microsoft. Account website, such as like. You. Know outlet comm or whether, you're going to a SharePoint. Site in office, 365, with your business account you just need to use the one pin and/or, the biometric, and that'll get you access to the keys to sign it right, I remember that because when. You set up your biometric, you know even before the.
Policies, Came down he said of the pin and the next thing you get the policies and again you're asked for the pin and then plan time right and so that's the that's the confusion that has been yeah and that was confused that the confusion was most. Almost. You. Could see it most in bring-your-own-device, and errors I mean you. Could you know you'd have your computer at home and you would set a pin before, you know actually, enrolling. That into engine right you set a pin that's a local thing fine and then you would go to in tune you know join your device to company, and then you would have another pin and then, you had you know we. But that was the confusing part right, because it's you you know you're going I already have a pin you should just use that one right so so, then, the confusion. Started right at the enrollment process and so now it's do, do I want to do this I don't sure what I'm doing and then I'm sure that caused some help desk calls because they're like I already have a pin why are you asking me for another one so yeah, so the anniversary, update is really great in that experience, is that 110, users. Like that and then you know as he said we have pink complexity, requirements, so we. Can make the pin as long as we want and complex as we want and so that way. If you're worried about the pin you know and being too short or some, sort or surfing we have medications against that too where it's, pretty reliable to use. Yep. Yep. One, last thing here since we've been talking about TPM, a lot, let's. Make clear that TPM. Is not a requirement, if, you want to set that set up hold for business, but. It's strongly. Recommended because. Before because, it just you know puts. All your keys into a separate, you, know not, logical, continue I was just said about a physical continue, that's separate, and that. Really enhances, your security so here at Microsoft IT we. Require. Two games for hello for business we opted to require, TPM. So we, do not give, a hell of a business credentials, to any device that does not have a TPM do. That's part of our prerequisite. Correct now it's part of our purpose yeah it's actual policy, setting that we have is called hardware required, yeah and so basically, MSI. T-they they, check that box event so that's part of the prerequisite. Check is is that before the user even sees this provisioning, page we're. Going to check to see if you have a TPM, and if you don't then you never get interrupted. So. Some. Additional resources were. Have. Included. Here. They're, very. Some very good documents. You can go to Microsoft. Documents you can use so, we have our own, windows flow for business case. Implementing. Strong user authentication with a low for business a. Windows. TPM enabling Windows 10, pants re for, with, Windows hold for business that's how we actually, enabled, Windows 10 VPN, at. Microsoft, IT after, winter school for business drove out users. Could use that credential to securely, log in to their VPN, connections, so. You're saying you kind of documented, everything that you just said right now and. People can just go yes. Yeah. With much more detail that no we discuss now so, there's a paper. That people. Can go and check how, it did it Microsoft. I team and of course then we have the, proto coop documentation. And TechNet Microsoft. Passport guide, so, just. To say, it again when. This whole of a business used to be called Microsoft, passport, actual, passport for work so, whenever, you see that Microsoft, passport or, passport, for work it's, actually the previous name of Windows hello for business so that's why there's a microphone, guy here and, the. New version of it I mean additional, version of is that managed identity, verification unit, was using, doing this whole for business document, which also has the newest, information, about, the, anniversary update and all, the updates we did with configuration, manager 1606, and. A. Very, important documents the last one which actually details. A deployment. For. Windows hello for business on the parts that are more you know difficult, and. Kind. Of cumbersome, to, to. Deploy which is configuration, manager, and s and CRP components, it's, like the step by step yeah it's a step by step guide for this specific ones and we of course users. Can also administers. Can also find resources. On, how your extra set up certification, Authority and, how do you set up the certificate templates, needed for your, specific certificate. All. Right that's a lot of good resources as well and. Thank. You very much but we will start taking questions we have a few questions in fact but, before we go into the questions, I do want, to let everyone know who's on the call with us if, you're going to post one, more pulse. Question, for you it's, a feedback question, we really want to hear from you so, we, just give them a moment to take.
That Feeder take that pulse and we. Will take the questions right here, so. Let's. See I'm going to go over the question, that I'm seeing last over here alright so yeah, oh nothing. A continuation. Okay. Seems like TPM is required for Windows hello is this correct is that's. Just no. We. Could actually kind, of say it is but it's not physically, required if you wanted to play Windows hello without, a TPM, you, can but there are security, concerns with that but. TPM, as ice, I mentioned earlier before in our talk we, have this thing called replay, a passwords, replayable, if I know your password I can replay it on another machine, windows. Ho the key if I, can take that key and move it to another machine, I can replay, that key the, TPM, is critical, in making. Sure that I can't move, whatever. That credential, that key from, one computer to the next so if you don't have a TPM, we'll, create a key but that key will just reside in software and it's not protected, by anything so you. Know technically, you could move that key so there's reason why we, we, really push for, having. The TPM, but we understand, that, enterprises. In their supply, chain as far as where they buy their hardware when they buy with hardware it may be a slow move there so you need to have a way to where be able to where you can target those. With or without you so question is can you drive a car without airbags, of course you can't but do you want to probably. Not. But. It goes back to a very start when you're sitting about what will be mitigating, yeah I mean no mitigating so it's. So. It's it's it really enhanced the security and, windows whole for business is all about security, so we. Strongly. Recommend. TPM. Coming from des Beatrice who, lives and breathes in, that particular, team he's like yeah, yeah. Of course I mean it, doesn't make sense it you can, you, can't bypass the TPM requirement, in the sense that you you may not not want to enable it but, considering, what Mike said I don't.
Think You'd want to it would, be the last resort yeah if you do, if you do have if you do want to enable for a lot of devices that don't have a TPM currently but. Maybe. It's a better idea to leave, some devices out you know, you. Know that's that's a good point I mean real to do in phases. I mean as much as we did this in a broad deployment, we actually did it in phases and. We learned a lot as we were doing that right because our deployment, of Windows 10 was also in in, phases, over multiple, weeks and so small. Groups were getting and we, were getting a lot of feedback coming back from them as well right so, we have a few more questions so. Let's see let's. Start with can. It all out, hello. For business if I don't have a pre-existing PKI, did we. So. A. Business. Is required, we, didn't really touch into, too many of the deployment models and so forth like that we. Have a minimalistic. PKI model, or what we call key trust model, where. You. Still, need a PKI and the reason why is you need to issue the domain controllers. Certificates. So. That when, when, you're talking, to a domain controller when a Windows 10 client, communicates. With a domain controller it, needs to know that this is a legitimate domain, controller not a rogue one and the way you do that is you have to have a root of trust you need a root of trust and so the the certificate, that is deployed to the domain controller serves as that root of trust the enterprise. Trust, that certificate and so therefore when, your Windows 10 client, is sending authentication. Information, to a domain controller you, want to make sure it's a it's a legitimate. Domain controller rather than somebody, set up a rogue domain controller and now they're, they're. Redirecting, authentication data to a domain controller that's not part of the business so, we have a a, lightweight, version of that to where the clients, themselves do, not need. Certificates. So, you, just and the great thing about domain controllers is if, they see an enterprise search aggregate authority they just get a certificate automatically. So it's. Pretty lightweight but we we still always require a PKI, just, we don't necessarily require you to issue certificates, to your clients. All. Right so here's here's a slightly long question, so let's see we've. Been trying to implement hello for business but without success we. Have already, have. The GPO to register, domain, PCs, and, GPO, 4 hello. For business pin, settings, we. Are not using ad FS or config, manager can, you provide us any assistance our links. To tutorials, that, helps implement, without, configuration. Manager, we, have 2016. DC's, in our environment. So. It's. And. The question there would be what's missing for me there is whether they have Azure Active Directory its says, yes we have Azure ad okay. But. They don't have configuration, so. If, they have 2016. Domain, controllers, yeah. They. Can deploy a hybrid. Version of Windows hello for business it doesn't it, doesn't require certificate. Issuance which is where you need the configuration, manager, it's. Sort. Of a very open-ended, question, to try to answer here but, it. Will work but you do need to have 2016. Domain controllers, that, is an absolute requirement because. What will happen is you'll generate a key and then, that key will be used to authenticate rather, than a certificate, to the on-prem domain and the only one that knows how to do that form of authentication is, a 2016, domain controller. The, other, thing, is that would. Potentially be. Something to check on which. Links. Back to what Dimitri says I didn't hear anything about device, registration. So. I just. I don't think I heard it if. You do have GPO to register domain Joe and. So. I would start with the device registration, log and. Make sure that your device is actually being registered that's, probably, the biggest one that will stop you from seeing the hello for provision. Okay. So. It so if I guess, in our case the best is when we had all of those components together but there you know if you don't have one piece of the other it will but, it's. Going to be and also make sure that the client operating, operating system is at least Windows.
1511. Windows 10 for the level which would be November update, yeah, and point. 17, version specifically, onwards that. You know there might be some devices that are not up to this level, at this point so I need, to check this one as well and, all the prerequisites. Right. Okay. So. Here's. Another question, what. Challenge do what challenges, did we see with. Users adopting, a new method of logging it. Was it just to excite of, people excited like, there's something different. This. Has to do a lot with communication. I mean how do you communicate the, message now, you have a new credential, because. If you don't see anything and users just get up you. Use a sign, into your device or an existing device and then they get a full screen window saying now you have to set up your pins so, the user said what is this pin who is this telling me that do I need to do that is that some kind of malicious, wind. Or whatever so. So. The initial so. We did an initial communication, that users, now, are. Then receiving an credential, so if you see that it's, in credential, rolling out so, the, response has been great I think. From. From, from. The communication, part it helped. But. Again users. Of course are always you. Know saying. Something new. They, you know step back a little bit say well what is this thing so, I would say from the deployment. Part. There was not too, many issues it. Was mostly for educating. Users that this is your and educating, them that's. Here credential, and that why it's better than the ones we already had and. I think look, as you said it's, communications, also the user experience, it's improved. Over a period of time so. Now, it's it's not just waiting for a certain condition to happen before it triggers but, the workflow, has always been just two prompts, simple. And. I think they I think, once you can get them over that education, hurdle and, then, they get the experience of signing in with their. Face or a fingerprint. Then. They're hooked yeah then they're hooked for life I mean when. We I talked, to customers about this they, loved the idea of sitting in front of our laptop, and then, just signing in with their with, their face when. I go, home my, wife has, a Microsoft, account that uses Windows hello she sits down at her surface book and she just looks at it and it's she, loves that experience, and I think consumers. And our RIT, workers I think everybody, Microsoft loves the biometric. Experience, once, you get past these, yet it's the education part, that is you just gotta make, sure they understand, it is a legit, thing and it is real so. If you're almost out of time and. Let's. See if we can take one quick question which I think you've answered this already but we're taken what, Windows client versions are supported, for hello for business yeah. So the, minimum version, is Windows, 10, November, edition specifically. Tenth, 586. Dot 17, onwards. This. However means that if you're going to use November update additions you will need what we said before some custom, tasks, in order for these clients, to trigger, pin. Enrollments, so even. Though Windows, slow for business is really supporting this operating system versions would strongly, recommend, Windows. 10th anniversary, update. All. Right so. With that thank, you so much, thank, you so much it's it's like an ear of data download, clearly. And maybe. Much more than that for you Mike but. Thank, you so much thank you for joining us online you. Can find this, webinar again it will be available on, demand in, a few weeks on microsoft.com. Slash. IT showcase, there, are also other, webinars, that we do in fact very, frequently, so please, go again back to Microsoft comm IT showcase, check. For what's, coming up next what, we already have, so. Thank. You again thank you and have a great day.
2018-02-22 12:19
Yes
If my password is expired due to password policy (90 day expiration), will my PIN still work?