Tim H. posted a new blog post on his site Cloud-Boy.be.
Situation:
- Azure AD Joined computers/laptops
- Devices managed with MEM (Microsoft Endpoint Manager) – Intune
Target:
- Enabling Windows Hello for Business
- Enabling multi factor unlock: face recognition + trusted device (smartphone) or PIN
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a bio metric or PIN. Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks.
Prerequisites cloud only deployment:
- Windows 10, version 1511 or later
- Microsoft Azure Account
- Azure Active Directory
- Azure Multi-factor authentication
- Modern Management (Intune or supported third-party MDM), optional
- Azure AD Premium subscription – optional, needed for automatic MDM enrolment when the device joins Azure Active Directory
1. ENABLE WINDOWS HELLO FOR BUSINESS IN MEM (INTUNE)
Navigate to Devices – Enroll devices – Windows Hello for Business
