Introduction
This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for Hybrid Azure Active Directory domain joined devices. It covers:
- Setting up the Azure Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider.
- Installation and configuration of the Beyond Identity Desktop Login Authenticator app.
Prerequisites
Beyond Identity Web SSO:
- The Beyond Identity Web SSO must be already configured and working.
- You must have super admin privileges to the Beyond Identity Admin Console.
Client Side:
- You need to have physical access or a console session to the machine to enroll and use WDL. Enrollment or using WDL over an RDP session is not supported.
- Device must have joined the Azure AD domain.
- Device must be running Windows 10 (Build 1703 or later) or Windows 11 (Must be a Pro or Enterprise License).
- Device must have Trusted Platform Module (TPM) 2.0 installed.
- Device may have a built-in or pluggable fingerprint reader (Optional).
- Device must have Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO. We will replace the app with the Beyond Identity Desktop Login Authenticator App.
-
Client-side Config
-
Install Beyond Identity Desktop Login
-
- On a Azure AD Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Using a browser go to https://app.byndid.com/desktop-login/downloads and download MSI labeled “Desktop Login for Windows”.
- Ensure “Beyond Identity Service” service is running on the client before moving to the next step.
-
User Enrollment Process
-
Run the below command in windows command prompt or powershell and make sure the following parameters match.
-
dsregcmd /status
- Device State
-
dsregcmd /status
- AzureAdJoined: YES
- DomainJoined: NO
- Device Details
- TpmProtected: YES
- DeviceAuthStatus: SUCCESS
- SSO State
- AzureAdPrt: YES
- Open the Beyond Identity Authenticator app.
- Select the Profile already enrolled in Web SSO and click on “Enroll in desktop login”.
- Enter your username/password on the Azure AD login screen.
- Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Hit ENTER once you have entered the PIN.
- Confirm the PIN added in the previous step.
- Optionally, enroll fingerprints for biometric login and then click “Finish Setup”.
- Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.
-
User Login Process
- Log out or lock local screen.
- Choose the Beyond Identity login option.
- When prompted, use a fingerprint or enter a PIN to complete login.
Comments
0 comments
Please sign in to leave a comment.