Introduction
This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for Hybrid Azure Active Directory domain joined devices. It covers:
- Installation and configuration of Beyond Identity Domain Connector on Active Directory Domain Controller for key synchronization
- Setting up the Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider
- Installation and configuration of Beyond Identity Desktop Login Authenticator app
Prerequisites
Beyond Identity Web SSO
- Beyond Identity Web SSO configured
- Super admin privileges on Beyond Identity Admin Console
Active Directory Side
- Enterprise Admin privileges on AD Domain Controller(s)
-
AD Domain Controller(s) running on Windows Server 2016 or later version
- AD Schema Version: Windows Server 2016 or later schema
-
Minimum required domain functional and forest functional levels for deployment is Windows Server 2008 R2
- Server Manager > Domains and Trust > Right-Click on the Root Domain > Properties
-
AD Domain Controller must have following components
- Active Directory Domain Services
- Active Directory Certificate Services (Required for Server Certificate issuance and publishing 3rd party CA issued certificates)
- Kerberos Domain Controller (KDC) certificate must be deployed on the AD Domain Controller(s)
- DNS Services must be running.
-
The service account used by the SSO AD Agent must be a member of the following groups:
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
AD Domain Controller dependency
If SSO AD Agent is not available or if you are using Microsoft SSO, Beyond Identity Domain Connector is installed as part of the WDL installation. You can install it on the AD Domain Controller itself or any domain joined server running Windows 2016 or later.
GPO policy requirements
You must have the ability to create and push GPO policies. If your GPO replication takes a long time, follow the GPO steps below to confirm the correct GPO policies are applied. This process continues the installation and testing without waiting for it.
- You must have Azure AD Connect running and synchronizing users and keys between on-prem AD and Azure AD.
Client side device prerequisites
-
Physical access or a console session to the machine to enroll and use WDL
- Enrollment or using WDL over an RDP session is not supported
- Joined Hybrid Azure AD domain
-
Running Windows 10 (Build 1703 or later) or Windows 11
- Must be a Pro or Enterprise License
- Trusted Platform Module (TPM) 2.0 installed
- Root & Intermediate certificates for Domain Controller deployed
-
Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO
- App is replaced with Beyond Identity Desktop Login Authenticator App
NOTE: Devices may have a built-in or pluggable fingerprint reader as optional.
Beyond Identity Domain Connector installation and configuration
-
Create (or use an existing) service account (e. g. biservice) and make it a member of the following groups:
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
- On the server where the Domain Connector is installed, ensure that the service account used has sufficient privileges to install system services.
- Run gpedit.msc
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- In the details pane, double-click on “Log on as a service”.
- Click on “Add User or Group” and add the service account to the list of accounts. Once you have selected the user, click “OK”.
- Click “OK” and close the policy editor.
- Login to Beyond Identity Admin Console and click on Integrations from the menu.
-
- On the Settings page, Desktop Login Tab.
- On the “Beyond Identity AD Connector” item click on the arrow to “Install this service”.
- Click on “Generate Key” and record the newly generated key for use in the next step.
- Download the Beyond Identity Domain Connector on a domain joined server from here.
-
Install the Beyond Identity Domain connector and enter the below values:
- Access Key: <Use Key generated in a previous step>
- Domain: Comma separated domain values (e. g. beyondadfs.com)
- Username: service account name used to run the Beyond Identity Service (e. g. biservice@beyondadfs.com)
- Password: <Service-Account-Password>
- Once the installation is complete, make sure the service “Beyond Identity Domain Connector” is running.
AD Server-Side Config
Create a Group for Desktop Login
In the following steps, we will create a group and assign users to participate in Beyond Identity desktop login service.
- Sign into AD DC as Domain Administrator.
- Launch “Server Manager” management console.
- Click on “Tools” and then on the pull-down menu, click on “Active Directory Users and Computers”.
- Right click on “Users” > “New” > “Group”, create a group named “Beyond Identity Users”.
- Then add appropriate users to this group.
GPO Configuration to Enable Biometrics
In the following steps, we will create a new custom policy for the computers / devices participating in Beyond Identity Desktop Login Service. We will assign this to “Beyond Identity Users” group.
- Sign into AD DC as Domain Administrator.
- Launch “Server Manager” management console.
- Click on “Tools” and then on the pull-down menu, click on “Group Policy Management”.
- Double-click on “Domains”, then right-click on the appropriate AD domain name and click “Create a GPO in this domain and Link it here…”.
- Enter the Name as “Beyond Identity GPO”, then click “OK”.
- From the left navigation menu, right-click on “Beyond Identity GPO” and click “Edit”.
-
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Component > Biometrics section, and enable the following policies:
- “Allow the use of biometrics”
- “Allow users to log on using biometrics”
- “Allow domain users to log on using biometrics”.
-
Navigate to Computer Configuration > Policy > Administrative Templates > Windows Component > Windows Hello for Business section, and enable the following policy:
- “Use Biometrics”
-
Navigate to Computer Configuration > Policy > Administrative Templates > System > Logon, and enable the following policy:
- “Turn On Convenience PIN Sign in”
-
Follow the steps below to apply the GPO Policy to “Beyond Identity Users” Group:
- Under Group Policy Management, navigate to Group Policy Objects.
- Double-click on “Beyond Identity GPO”.
- Click on the “Scope” tab.
- Under Security Filtering, Add the “Beyond Identity Users” group.
- Click to the “Delegation” tab, then click on “Advanced”.
- Click on “Authenticated Users” group and click on “Allow” permissions for “Read”.
- Click on the “Beyond Identity Users” group and click on “Allow” permissions for “Read”, “Create all child objects”, “Delete all child objects” “Apply group policy” and click “Apply”.
- Under Group Policy Management, double-click on your primary domain and click on the “Linked Group Objects” tab.
- Make sure the newly created “Beyond Identity GPO” has the link order 1.
Client-side configuration
Apply the GPO Policy
- On a Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Apply the GPO by running the gpupdate /force command via the Windows PowerShell in Admin mode or simply rebooting your machine.
- Verify whether the GPO is applied by issuing the gpresult /r /v command via Windows PowerShell in Administrator mode.
Install Beyond Identity Desktop Login
- On a Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Using a browser go to https://app.byndid.com/desktop-login/downloads and download MSI labeled “Desktop Login for Windows”.
- Ensure “Beyond Identity Service” service is running on the client before moving to the next step.
User Enrollment Process
-
Run the below command in windows command prompt or powershell and make sure the following parameters match.
-
dsregcmd /status
- Device State
- AzureAdJoined: YES
- DomainJoined: YES
-
dsregcmd /status
-
-
Device Details
- TpmProtected: YES
- DeviceAuthStatus: SUCCESS
-
Device Details
-
-
SSO State
- AzureAdPrt: YES
-
SSO State
- Open the Beyond Identity Authenticator app.
- Select the Profile already enrolled in Web SSO and click on “Enroll in desktop login”.
- Enter your domain password to start enrolling in Beyond Identity’s Desktop Login service.
- Enter your domain username/password on the Azure AD login screen.
- Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Hit ENTER once you have entered the PIN.
- Confirm the PIN added in the previous step.
- Optionally, enroll fingerprints for biometric login and then click “Finish Setup”.
- Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.
User Login Process
- Log out or lock local screen.
- Choose the Beyond Identity login option.
- When prompted, use a fingerprint or enter a PIN to complete login.
Comments
0 comments
Please sign in to leave a comment.