Introduction
This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for Hybrid Azure Active Directory domain joined devices. It covers:
- Setting up the Azure Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider.
- Installation and configuration of the Beyond Identity Desktop Login Authenticator app.
Prerequisites
Beyond Identity Web SSO:
- The Beyond Identity Web SSO must be already configured and working.
- You must have super admin privileges to the Beyond Identity Admin Console.
Client Side:
- You need to have physical access or a console session to the machine to enroll and use WDL. Enrollment or using WDL over an RDP session is not supported.
- Device must have joined the Azure AD domain.
- Device must be running Windows 10 (Build 1703 or later) or Windows 11 (Must be a Pro or Enterprise License).
- Device must have Trusted Platform Module (TPM) 2.0 installed.
- Device may have a built-in or pluggable fingerprint reader (Optional).
- Device must have Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO. We will replace the app with the Beyond Identity Desktop Login Authenticator App.
-
Client-side Config
-
Install Beyond Identity Desktop Login
-
- On a Azure AD Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Using a browser go to https://app.byndid.com/desktop-login/downloads and download MSI labeled “Desktop Login for Windows”.
- Ensure “Beyond Identity Service” service is running on the client before moving to the next step.
-
User Enrollment Process
-
Run the below command in windows command prompt or powershell and make sure the following parameters match.
-
dsregcmd /status
- Device State
-
dsregcmd /status
- AzureAdJoined: YES
- DomainJoined: NO
- Device Details
- TpmProtected: YES
- DeviceAuthStatus: SUCCESS
- SSO State
- AzureAdPrt: YES
- Open the Beyond Identity Authenticator app.
- Select the Profile already enrolled in Web SSO and click on “Enroll in desktop login”.
- Enter your username/password on the Azure AD login screen.
- Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Hit ENTER once you have entered the PIN.
- Confirm the PIN added in the previous step.
- Optionally, enroll fingerprints for biometric login and then click “Finish Setup”.
- Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.
-
User Login Process
- Log out or lock local screen.
- Choose the Beyond Identity login option.
- When prompted, use a fingerprint or enter a PIN to complete login.
Appendix A: Troubleshooting
-
Understand the Customer Environment:
- Azure AD Joined Machine
- Key Provisioning: Using Graph API
- Azure AD Authentication using key trust
- Azure AD for desktop login & Web Applications
- Azure AD Connected App login using PRT
-
Client Log Location
- Authenticator Logs:
- c:\Users\<user>\AppData\Roaming\BeyondIdentity\logs\authenticator\authenticator<date>.log
- Credential provider Logs:
- c:\ProgramData\BeyondIdentity\logs\credProvider\credProvider<date>.log
- Desktop Login service Logs:
- c:\ProgramData\BeyondIdentity\logs\service\service<date>.log
Appendix B: Important Debug commands
-
Device Joined Status check, release device, join device
- dsregcmd /status (to check the status of the device, PRT, WHFB enrollment etc…)
- dsregcmd /leave /debug (to unjoin device from Azure AD)
- dsregcmd /join /debug (to join device to Azure AD using CLI)
-
Command to see current user and their domain or groups
- whoami (to check current user’s name and domain)
- whoami /groups (to check current user’s groups)
-
Command to query for keys in Azure Active Directory:
- Get-AzureADWHfBKeys -Logging -Report -Tenant contoso.com -All
-
Enable running PowerShell script on a client machine
- Set-ExecutionPolicy unrestricted | remotesigned
-
Important PowerShell modules:
- AzureAd
- whfbtools
- MSAL.PS
- ADSync
Comments
0 comments
Please sign in to leave a comment.