So this is a time to go back in time to the Windows Hello series and continue it.

Today’s topic will be the first one that requires more than our laptop.

Requirements

• Active Directory (2008 R2 +)
• Public Key Infrastructure in AD
• Azure AD Connect
• Device Registration on Azure AD Connect
• Windows 10 devices (from 1703+)

The diagram below depicted the overall situation with WHFB Hybrid AD Join

Environment Setup

For this exercise I will deploy a brand new environment that will contain:

• 1 Domain Controller
• 1 PKI Server
• 1 Windows 10 virtual machine with TPM (hosted on Hyper-V server)

As always let’s use PowerShell to deploy part of the environment but before that please download the package from the Github repo https://github.com/przybylskirobert/whfb

Resource Group Deployment

Run the following command in order to create required resource groups

.\Create-ResourceGroup.ps1 -ResourceGroupPrefix 'rg' -ResourceGroupLocation 'northeurope' -LocationShortName 'neu'

The script will create 5 resource groups (every in the North Europe region):

• rg-ad-neu – dedicated resource group for AD-related services
• rg-network-neu – network-related resource group
• rg-mgmt-neu – management related resource group for resources like log analytics etc
• rg-srv-neu – resource group for servers
• rg-wks-neu – resource group for workstations

Network Deployment

Every VM has to be joined to the network so the code below deploys the virtual network

.\Create-VirtualNetwork.ps1 -ResourceGroupName "rg-network-weu" -Location "northeurope" -LocationShortName 'neu' -VirtualNetworkPrefix '10.10' -Verbose

Code below will deploy VNet called vnet-main-neu with 10.10.0.0/24 Address space and three subnets

• snet-adds-neu
• snet-wks-neu
• snet-srv-neu

VMs Deployment

As mentioned at the beginning we will need 2 main servers DC and PKI.
In order to do that please run the following code

$List = @(
    $(New-Object PSObject -Property @{Name = 'vm-adds01-neu'; Size = 'Standard_DS1_v2'; Vnet = 'vnet-main-neu'; Subnet = 'snet-adds-main'; IP = "10.10.0.4"; ResourceGroup = 'rg-ad-neu' }),
    $(New-Object PSObject -Property @{Name = 'vm-pki01-neu'; Size = 'Standard_DS1_v2'; Vnet = 'vnet-main-neu'; Subnet = 'snet-srv-main'; IP = "10.10.0.68"; ResourceGroup = 'rg-srv-neu' })
)
.\Deploy-VirtualMachines.ps1 -List $List -Location "north europe" -Credential (Get-Credential)

During the script run, you will be asked to provide credentials that will be used as a local admin on the servers

Servers Configuration

As soon as we have access to the new VMS we can start the configuration process.

DC setup

The first to configure will be the domain controller.

Log in to the server and run the following code

$path = "c:\tools\"
$pathTest = Test-Path -Path $path
if ($pathTest -eq $false ) {
    new-item -ItemType Directory -Path $path
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3
[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"
$outfile = $path + "Scripts.zip"
Invoke-WebRequest -Uri "https://github.com/przybylskirobert/whfb/archive/refs/heads/main.zip" -OutFile $outfile
Expand-Archive -LiteralPath $outfile -DestinationPath $path
$outfile = $path + "AzureADConnect.msi"
Invoke-WebRequest -Uri "https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi" -OutFile $outfile

Code will download 2 files:

• Scripts.zip from my GitHub repo
• AzureADConnect.ms

Run the following commands

C:\Tools\whfb-main\Configure-ADDS.ps1 -DomainName "mvp.azureblog.pl" -InstallAD -verbose

During the script run, you will be asked to provide a DSRM password and informed about the reboot

After the reboot log in to the system and run the next commands

C:\Tools\whfb-main\Configure-ADDS.ps1 -DomainName "mvp.azureblog.pl" -DeployOU -verbose

This code will deploy the default OU structure and create users

Ignore errors related to the transcript.

The last thing to do on the DC is to download administrative templates and put them in Sysvol

C:\Tools\whfb-main\Configure-ADDS.ps1 -DomainName "mvp.azureblog.pl" -InstallTemplates -verbose

Now we can create Windows Hello for Business Users group that will be used to enable security filtering on the GPO

$groupName = 'Windows Hello for Business Users'
$path = "OU=Groups," + ([ADSI]"LDAP://RootDSE").rootDomainNamingContext.value
New-ADGroup -Name $groupName -SamAccountName $groupName -GroupCategory Security -GroupScope Global -path $path
Add-ADGroupMember -Identity $groupName -Members domop,tester

PKI setup

The first thing before installing/configuring PKI is domain join 🙂 which I will skip as it is an obvious step.

Same like for DC setup we need to download the zip file from the GitHub repo using the following code:

$path = "c:\tools\"
$pathTest = Test-Path -Path $path
if ($pathTest -eq $false ) {
    new-item -ItemType Directory -Path $path
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3
[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"
$outfile = $path + "Scripts.zip"
Invoke-WebRequest -Uri "https://github.com/przybylskirobert/whfb/archive/refs/heads/main.zip" -OutFile $outfile
Expand-Archive -LiteralPath $outfile -DestinationPath $path

Then run the following command

C:\Tools\whfb-main\Configure-ADCS.ps1 -Verbose

Note: During the installation, you will be asked to provide credentials. Please remember that you need to provide Enterprise Admin-level credentials. if you used my script for lab deployment use the Domop account for this

After the script run, we will move to the manual part (not yet scripted but it will be soon) – creating a Certificate template

Open Certificate Authority console and under Certificate templates right-click and select Manage

On the newly opened windows find a template called Kerberos Authentication and duplicate it

New windows should open, now you have to configure the following:

General tab

• Template Display Name: Domain Controller Authentication (Kerberos)
• Validity period: Provide value
• Renewal period: Provide value

Compatibility tab

• Certification Authority: Windows Server 2008 R2
• Certification recipient: Windows 7 / Server 2008 R2

Subject Name tab

• Select: Build from this Active Directory information
• Subject name format: None
• Include this information in alternative subject name: DNS name

Cryptography tab

• Provider Category: Key Storage Provider
• Algorithm name: RSA
• Minimum key size: 2048
• Request hash: SHA256

Close console when done.

GPO Configuration

GPO: Distribute CA Certificate

• Log in to the PKI server and open Certificates console and export computer certificate to .cer file – we will use this file to populate it using GPO to all devices to make sure that our CA will be placed under Trusted Root Certification Authorities
• Switch back to DC and open the Group Policy Management console
• On the domain, level create a new GPO with the following name: Distribute CA Certificate
• From the Details tab select User configuration settings disabled
• In the navigation pane, expand Policies under Computer Configuration.
• Expand Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities and import the certificate that we exported just before.

GPO: Enable Windows Hello for Business

• Open Group Policy Management console
• Create a new Gpo called Enable Windows Hello for Business
• In the navigation pane, expand Policies under User Configuration.
• Expand Administrative Templates > Windows Component, and select Windows Hello for Business
• In the content pane, double-click Use Windows Hello for Business. Click Enable and click OK
• Double-click Use certificate for on-premises authentication. Click Enable and click OK.
• Expand Windows Settings > Security Settings, and click Public Key Policies
• In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.
• Select Enabled from the Configuration Model list.
• Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
• Select the Update certificates that use the certificate templates check box.
• Click OK.
• Link the newly created GPO to domain level
• In the Security Filtering section of the content pane, click Add. Type Windows Hello for Business Users or the name of the security group you previously created and click OK.
• Click the Delegation tab. Select Authenticated Users and click Advanced.
• In the Group or User names list, select Authenticated Users. In the Permissions for Authenticated Users list, clear the Allow check box for the Apply Group Policy permission. Click OK.

GPO: Device Registration

• Open Group Policy Management console
• Create a new Gpo called Device Registration
• In the navigation pane, expand Policies under Computer Configuration.
• Expand Administrative Templates > Windows Components, and click Device Registration.
• In the details pane, right-click Register domain joined computers as device and select Properties.
• Select Enabled from the Configuration Model list.
• Click OK.
• Link the newly created GPO to OU that contains devices that should be included in the WHFB deployment

GPO: Domain Controller Auto Certificate Enrollment

• Open Group Policy Management console
• Create a new Gpo called Domain Controller Auto Certificate Enrollment
• In the navigation pane, expand Policies under Computer Configuration.
• Expand Windows Settings > Security Settings, and click Public Key Policies.
• In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.
• Select Enabled from the Configuration Model list.
• Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
• Select the Update certificates that use the certificate templates check box.
• Click OK.
• Link the newly created GPO to domain controllers OU

VM deployment

In order to test WHFB properly, we need a machine that has a TPM module installed (physical machine or Gen 2 VM on Hyper-V)
I will skip the VM deployment and domain join here but there is one important thing to check, run PowerShell as an administrator and run the following command

Get-TPM

Check on the results if the TPMPresent parameter is set to True

First Use

As our ‘ volunteer’ we are going to use the ‘Windows Hello Tester’ account which was synchronized to Azure AD.

First of all, we are going to provide a standard user name and its password on the welcome screen

Right after successful login (if we did not make any mistakes) Windows Hello screen should appear.

Because we are using a ‘fresh’ account we have to proceed with MFA configuration – in this case, it will be text message

After MFA setup, the next thing is to configure PIN (I advise using at least 6 characters)

And voilà Windows Hello For Business configuration for user finished

The last thing to do is to check if everything works fine

After the logon, Windows Hello configuration should appear under Sign-in options under Account Settings

Please note that Windows Hello Face, Windows Hello Fingerprint is unavailable due to virtual machine usage 🙂

To sum up, in a nutshell below are the components required from a user perspective:

• A successful single factor authentication (username and password at sign-in)
• A device that has successfully completed device registration
• A fresh, successful multi-factor authentication
• A validated PIN that meets the PIN complexity requirements

So that’s all about Hybrid AD Windows Hello for Business deployment.