Do I Need VPN Connectivity for Windows Hello for Business Registration

Hello everyone, my name is Zoheb Shaikh and I'm a Solution Engineer working with the Microsoft Mission Critical team (SfMC). Today I'll share an interesting discussion about Windows Hello and the need for VPN/Connectivity with Domain Controllers.

Recently I was interacting with an SfMC customer and was told that many users fail to register to Windows Hello for Business (WHFB) unless they connect to VPN or the Office . The critical question that came my way was get your users to register with the least possible hassle, and if we can help here.

I said of course I can help, after all I am your trusted Advisor :smile:

Before I start sharing any more details, I would like to give you some background on their implementation and about Windows Hello for Business.

What is Windows Hello for Business: ” In Windows 10/11, Windows Hello for Business replaces passwords with strong two-factor on devices. This consists of a new type of user credential that is tied to a device and uses biometric or PIN.”

For more details, please read the Documentation here

Coming back to our customer scenario: They were running a hybrid environment with domain controllers on 2019, Connect using Password Hash Sync and Co-Managed devices.

They recently had implemented a WHFB hybrid deployment model with Key trust for their mixed environment, with around 40% of users working from home.

WHFB was enabled through Intune, and a pilot was conducted for around 50 users.

Here the feedback on the results:

  • Users in Office (Connected to LAN)
    • Users were prompted for enrolment and worked without any issues.
    • Once at home, PIN/Biometrics worked fine.
  • Users working from Home
    • Some users had a smooth experience, however others had a little bumpy ride.
    • Some had issues setting their PIN,
    • Few set their PIN successfully but at next Logon it failed using PIN/Biometrics
      • The workaround was to connect to VPN, login with PIN after which it continued working even without a VPN connection

Based on what they explained to me it seemed the issue is with users who are working from home when connecting through VPN or not connecting to VPN.

Customer Expectations: Windows Hello for Business Enrolment should work seamlessly even if user is working is working from Home.

Being a part of Mission Critical team, we always strive to not only help customers advice on some of the Problem areas but more importantly to understand the situation and try to come up with a solution where possible.

In this scenario it was clear that WHFB works well for users connected to Office (Where Domain Controllers are in line of sight) but when users are at Home it does not work well for .

Key aspect for Work from Home users we separated was that the users were successfully registering/Enrolling to WHFB but when attempting to Authenticate using WHFB many were failing.

I did some research and communicated with SME's internally to understand a bit more on this.

The below diagram represents how Windows Hello works:

ZohebShaikh_0-1691428649982.png

We concluded that a newly provisioned user will not be able to sign in using Windows Hello for Business until

  • (ENTRA ID) Connect successfully synchronizes the public key to the on-premises
  • Device has line of sight to the domain controller for the first time.

The customer now understood why it is needed but had a follow up question.

Well, I have few users who never connect to VPN and are not visiting office at all, what can we do about them.

My response to that was it could be achieved using Cloud Only trust model, see details here.

Another query which came after this was will also need Domain Controller in Line of Sight, answer is NO.

This is only needed at 1st time Authentication and is not needed on an ongoing basis.

Hope this helps,

Zoheb

 

This article was originally published by Microsoft's Secure Blog. You can find the original article here.