This article summarizes the prerequisites and requirements for setting up Beyond Identity Windows Desktop Login (WDL) across On-Prem AD, Hybrid Azure AD, and Azure AD joined devices, including client, AD, and Domain Connector requirements.
General Information
Beyond Identity supports Windows desktop passwordless login for these different join types. Prerequisites vary depending on join types. For more information on the integrations, see the Next steps section.
On premise AD Joined
Hybrid Azure Joined
Azure AD Joined
Beyond Identity prerequisites
Beyond Identity Web SSO configured
Super admin privileges in Beyond Identity Admin Console
Client-side prerequisites
Physical access or a console session to the machine to enroll
Device running Windows 10 (Build 1703 or later) or Windows 11
Must be Pro or Enterprise License
Beyond Identity Platform Authenticator application installed on a single AD instance of device
Device configured to respective domain
On-prem AD → AD domain
Hybrid → Hybrid Azure AD
Hybrid or On-prem AD → Root & Intermediate certificates for Domain Controller deployed
Azure AD → Azure AD
Note: Devices may have an built-in or pluggable fingerprint reader as optional.
Limitations
WDL setup over RDP session is not supported.
TPM 1.2 is not supported.
Federated logins do not receive a Primary Refresh Token (PRT) upon sign-in.
Active Directory prerequisites for Hybrid and On-premise AD setup
Note: Customers leveraging Azure AD joined devices only can skip the Active Directory Requirements check and the Beyond Identity Domain connector requirements.
Enterprise Admin privileges on your AD Domain Controller(s)
AD Domain Controller(s) running on Windows Server 2016 or later
Schema Version: Windows Server 2016 or later schema
Domain functional and forest functional levels for deployment is Windows Server 2008 R2
AD Domain Controller with following components installed
Active Directory Domain Services
Active Directory Certificate Services
Kerberos Domain Controller (KDC) certificate deployed on AD Domain Controller(s)
DNS Services running
Beyond Identity Domain Connector installed
Beyond Identity Domain connector prerequisites
Beyond Identity Domain connector installation requires domain joined Windows 2016 server or later
Alternately can be installed on domain controller
Service account running Beyond Identity service is part of following groups
Domain Users
Key Admin
Enterprise Key Admin
Administrators
Note: Customer leveraging OKTA AD Agent / SSO Agent to sync users into OKTA do not have to install the Beyond Identity Domain connector. The service account running the OKTA SSO agent must be included in the groups above.
Next steps
View the following guides for more information on the integrations available.