So this is a time to go back in time to the Windows Hello series and continue it.
Today’s topic will be the first one that requires more than our laptop.
Requirements
- Active Directory (2008 R2 +)
- Public Key Infrastructure in AD
- Azure AD Connect
- Device Registration on Azure AD Connect
- Windows 10 devices (from 1703+)
The diagram below depicted the overall situation with WHFB Hybrid AD Join
Environment Setup
For this exercise I will deploy a brand new environment that will contain:
- 1 Domain Controller
- 1 PKI Server
- 1 Windows 10 virtual machine with TPM (hosted on Hyper-V server)
As always let’s use PowerShell to deploy part of the environment but before that please download the package from the Github repo https://github.com/przybylskirobert/whfb
Resource Group Deployment
Run the following command in order to create required resource groups
.\Create-ResourceGroup.ps1 -ResourceGroupPrefix 'rg' -ResourceGroupLocation 'northeurope' -LocationShortName 'neu'
The script will create 5 resource groups (every in the North Europe region):
- rg-ad-neu – dedicated resource group for AD-related services
- rg-network-neu – network-related resource group
- rg-mgmt-neu – management related resource group for resources like log analytics etc
- rg-srv-neu – resource group for servers
- rg-wks-neu – resource group for workstations
Network Deployment
Every VM has to be joined to the network so the code below deploys the virtual network
.\Create-VirtualNetwork.ps1 -ResourceGroupName "rg-network-weu" -Location "northeurope" -LocationShortName 'neu' -VirtualNetworkPrefix '10.10' -Verbose
Code below will deploy VNet called vnet-main-neu with 10.10.0.0/24 Address space and three subnets
- snet-adds-neu
- snet-wks-neu
- snet-srv-neu
VMs Deployment
As mentioned at the beginning we will need 2 main servers DC and PKI.
In order to do that please run the following code
$List = @(
$(New-Object PSObject -Property @{Name = 'vm-adds01-neu'; Size = 'Standard_DS1_v2'; Vnet = 'vnet-main-neu'; Subnet = 'snet-adds-main'; IP = "10.10.0.4"; ResourceGroup = 'rg-ad-neu' }),
$(New-Object PSObject -Property @{Name = 'vm-pki01-neu'; Size = 'Standard_DS1_v2'; Vnet = 'vnet-main-neu'; Subnet = 'snet-srv-main'; IP = "10.10.0.68"; ResourceGroup = 'rg-srv-neu' })
)
.\Deploy-VirtualMachines.ps1 -List $List -Location "north europe" -Credential (Get-Credential)
During the script run, you will be asked to provide credentials that will be used as a local admin on the servers
Servers Configuration
As soon as we have access to the new VMS we can start the configuration process.
DC setup
The first to configure will be the domain controller.
Log in to the server and run the following code
$path = "c:\tools\"
$pathTest = Test-Path -Path $path
if ($pathTest -eq $false ) {
new-item -ItemType Directory -Path $path
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3
[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"
$outfile = $path + "Scripts.zip"
Invoke-WebRequest -Uri "https://github.com/przybylskirobert/whfb/archive/refs/heads/main.zip" -OutFile $outfile
Expand-Archive -LiteralPath $outfile -DestinationPath $path
$outfile = $path + "AzureADConnect.msi"
Invoke-WebRequest -Uri "https://download.microsoft.com/download/B/0/0/B00291D0-5A83-4DE7-86F5-980BC00DE05A/AzureADConnect.msi" -OutFile $outfile
Code will download 2 files:
- Scripts.zip from my GitHub repo
- AzureADConnect.ms
Run the following commands
C:\Tools\whfb-main\Configure-ADDS.ps1 -DomainName "mvp.azureblog.pl" -InstallAD -verbose
During the script run, you will be asked to provide a DSRM password and informed about the reboot
After the reboot log in to the system and run the next commands
C:\Tools\whfb-main\Configure-ADDS.ps1 -DomainName "mvp.azureblog.pl" -DeployOU -verbose
This code will deploy the default OU structure and create users
Ignore errors related to the transcript.
The last thing to do on the DC is to download administrative templates and put them in Sysvol
C:\Tools\whfb-main\Configure-ADDS.ps1 -DomainName "mvp.azureblog.pl" -InstallTemplates -verbose
Now we can create Windows Hello for Business Users group that will be used to enable security filtering on the GPO
$groupName = 'Windows Hello for Business Users'
$path = "OU=Groups," + ([ADSI]"LDAP://RootDSE").rootDomainNamingContext.value
New-ADGroup -Name $groupName -SamAccountName $groupName -GroupCategory Security -GroupScope Global -path $path
Add-ADGroupMember -Identity $groupName -Members domop,tester
PKI setup
The first thing before installing/configuring PKI is domain join 🙂 which I will skip as it is an obvious step.
Same like for DC setup we need to download the zip file from the GitHub repo using the following code:
$path = "c:\tools\"
$pathTest = Test-Path -Path $path
if ($pathTest -eq $false ) {
new-item -ItemType Directory -Path $path
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3
[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"
$outfile = $path + "Scripts.zip"
Invoke-WebRequest -Uri "https://github.com/przybylskirobert/whfb/archive/refs/heads/main.zip" -OutFile $outfile
Expand-Archive -LiteralPath $outfile -DestinationPath $path
Then run the following command
C:\Tools\whfb-main\Configure-ADCS.ps1 -Verbose
Note: During the installation, you will be asked to provide credentials. Please remember that you need to provide Enterprise Admin-level credentials. if you used my script for lab deployment use the Domop account for this
After the script run, we will move to the manual part (not yet scripted but it will be soon) – creating a Certificate template
Open Certificate Authority console and under Certificate templates right-click and select Manage
On the newly opened windows find a template called Kerberos Authentication and duplicate it
New windows should open, now you have to configure the following:
General tab
- Template Display Name: Domain Controller Authentication (Kerberos)
- Validity period: Provide value
- Renewal period: Provide value
Compatibility tab
- Certification Authority: Windows Server 2008 R2
- Certification recipient: Windows 7 / Server 2008 R2
Subject Name tab
- Select: Build from this Active Directory information
- Subject name format: None
- Include this information in alternative subject name: DNS name
Cryptography tab
- Provider Category: Key Storage Provider
- Algorithm name: RSA
- Minimum key size: 2048
- Request hash: SHA256
Close console when done.
GPO Configuration
GPO: Distribute CA Certificate
- Log in to the PKI server and open Certificates console and export computer certificate to .cer file – we will use this file to populate it using GPO to all devices to make sure that our CA will be placed under Trusted Root Certification Authorities
- Switch back to DC and open the Group Policy Management console
- On the domain, level create a new GPO with the following name: Distribute CA Certificate
- From the Details tab select User configuration settings disabled
- In the navigation pane, expand Policies under Computer Configuration.
- Expand Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities and import the certificate that we exported just before.
GPO: Enable Windows Hello for Business
- Open Group Policy Management console
- Create a new Gpo called Enable Windows Hello for Business
- In the navigation pane, expand Policies under User Configuration.
- Expand Administrative Templates > Windows Component, and select Windows Hello for Business
- In the content pane, double-click Use Windows Hello for Business. Click Enable and click OK
- Double-click Use certificate for on-premises authentication. Click Enable and click OK.
- Expand Windows Settings > Security Settings, and click Public Key Policies
- In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.
- Select Enabled from the Configuration Model list.
- Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
- Select the Update certificates that use the certificate templates check box.
- Click OK.
- Link the newly created GPO to domain level
- In the Security Filtering section of the content pane, click Add. Type Windows Hello for Business Users or the name of the security group you previously created and click OK.
- Click the Delegation tab. Select Authenticated Users and click Advanced.
- In the Group or User names list, select Authenticated Users. In the Permissions for Authenticated Users list, clear the Allow check box for the Apply Group Policy permission. Click OK.
GPO: Device Registration
- Open Group Policy Management console
- Create a new Gpo called Device Registration
- In the navigation pane, expand Policies under Computer Configuration.
- Expand Administrative Templates > Windows Components, and click Device Registration.
- In the details pane, right-click Register domain joined computers as device and select Properties.
- Select Enabled from the Configuration Model list.
- Click OK.
- Link the newly created GPO to OU that contains devices that should be included in the WHFB deployment
GPO: Domain Controller Auto Certificate Enrollment
- Open Group Policy Management console
- Create a new Gpo called Domain Controller Auto Certificate Enrollment
- In the navigation pane, expand Policies under Computer Configuration.
- Expand Windows Settings > Security Settings, and click Public Key Policies.
- In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.
- Select Enabled from the Configuration Model list.
- Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
- Select the Update certificates that use the certificate templates check box.
- Click OK.
- Link the newly created GPO to domain controllers OU
VM deployment
In order to test WHFB properly, we need a machine that has a TPM module installed (physical machine or Gen 2 VM on Hyper-V)
I will skip the VM deployment and domain join here but there is one important thing to check, run PowerShell as an administrator and run the following command
Get-TPM
Check on the results if the TPMPresent parameter is set to True
First Use
As our ‘ volunteer’ we are going to use the ‘Windows Hello Tester’ account which was synchronized to Azure AD.
First of all, we are going to provide a standard user name and its password on the welcome screen
Right after successful login (if we did not make any mistakes) Windows Hello screen should appear.
Because we are using a ‘fresh’ account we have to proceed with MFA configuration – in this case, it will be text message
After MFA setup, the next thing is to configure PIN (I advise using at least 6 characters)
And voilà Windows Hello For Business configuration for user finished
The last thing to do is to check if everything works fine
After the logon, Windows Hello configuration should appear under Sign-in options under Account Settings
Please note that Windows Hello Face, Windows Hello Fingerprint is unavailable due to virtual machine usage 🙂
To sum up, in a nutshell below are the components required from a user perspective:
- A successful single factor authentication (username and password at sign-in)
- A device that has successfully completed device registration
- A fresh, successful multi-factor authentication
- A validated PIN that meets the PIN complexity requirements
So that’s all about Hybrid AD Windows Hello for Business deployment.
Comments are closed.