This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for Hybrid Azure Active Directory domain joined devices. It covers:
- Setting up the Azure Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider.
- Installation and configuration of the Beyond Identity Desktop Login Authenticator app.
Beyond Identity Web SSO:
- The Beyond Identity Web SSO must be already configured and working.
- You must have super admin privileges to the Beyond Identity Admin Console.
- You need to have physical access or a console session to the machine to enroll and use WDL. Enrollment or using WDL over an RDP session is not supported.
- Device must have joined the Azure AD domain.
- Device must be running Windows 10 (Build 1703 or later) or Windows 11 (Must be a Pro or Enterprise License).
- Device must have Trusted Platform Module (TPM) 2.0 installed.
- Device may have a built-in or pluggable fingerprint reader (Optional).
- Device must have Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO. We will replace the app with the Beyond Identity Desktop Login Authenticator App.
Install Beyond Identity Desktop Login
- On a Azure AD Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Using a browser go to https://app.byndid.com/desktop-login/downloads and download MSI labeled “Desktop Login for Windows”.
- Ensure “Beyond Identity Service” service is running on the client before moving to the next step.
User Enrollment Process
Run the below command in windows command prompt or powershell and make sure the following parameters match.
- Device State
- dsregcmd /status
- AzureAdJoined: YES
- DomainJoined: NO
- Device Details
- TpmProtected: YES
- DeviceAuthStatus: SUCCESS
- SSO State
- AzureAdPrt: YES
- Open the Beyond Identity Authenticator app.
- Select the Profile already enrolled in Web SSO and click on “Enroll in desktop login”.
- Enter your username/password on the Azure AD login screen.
- Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Hit ENTER once you have entered the PIN.
- Confirm the PIN added in the previous step.
- Optionally, enroll fingerprints for biometric login and then click “Finish Setup”.
- Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.
User Login Process
- Log out or lock local screen.
- Choose the Beyond Identity login option.
- When prompted, use a fingerprint or enter a PIN to complete login.
Appendix A: Troubleshooting
Understand the Customer Environment:
- Azure AD Joined Machine
- Key Provisioning: Using Graph API
- Azure AD Authentication using key trust
- Azure AD for desktop login & Web Applications
- Azure AD Connected App login using PRT
Client Log Location
- Authenticator Logs:
- Credential provider Logs:
- Desktop Login service Logs:
Appendix B: Important Debug commands
Device Joined Status check, release device, join device
- dsregcmd /status (to check the status of the device, PRT, WHFB enrollment etc…)
- dsregcmd /leave /debug (to unjoin device from Azure AD)
- dsregcmd /join /debug (to join device to Azure AD using CLI)
Command to see current user and their domain or groups
- whoami (to check current user’s name and domain)
- whoami /groups (to check current user’s groups)
Command to query for keys in Azure Active Directory:
- Get-AzureADWHfBKeys -Logging -Report -Tenant contoso.com -All
Enable running PowerShell script on a client machine
- Set-ExecutionPolicy unrestricted | remotesigned
Important PowerShell modules: