We are now concluding this journey with this last part on our quest for setting up Windows Hello (for Business). Make sure that you read part 1 and part 2 if you haven’t done so. For this final installement, we will now be pushing the configuration using GPO for Windows Hello.
I would higly recommend that you do not push any GPO before you made absolutly sure that all of the requirements regarding the client and server side has been met. Not that it will prevent you for putting all of that in places, but it will make your life so much easier in case you need to troubleshoot any outstanding issue. Believe me, I’m talking from experience! Yes, there will be weird issues coming along.
So for the last part of this, it the most easiest one. We will push a GPO to the client device in order to enable the WHfB. If you don’t find the settings listed below or something is not the same, make sure that you have imported the latest admx template for Windows 11 and 10 in your AD domain. Here’s the config:
Convenience PIN – NOT!
Let’s check all of these option one by one and we’ll start with one of the most important point here: don’t confound convenience PIN with WHfB PIN! It’s really not the same thing. A convenience PIN can be setup by anyone on any laptop that is either a member of a domain or not. It’s not stored in a TPM chipset (hardware) but inside Windows itself (software), there is no real security with this. The WHfB configuration imply that there is a third party that will validate your credentials and then store the WHfB encryption PIN inside the TMP chipset. I’ve see a lot of WHfB configuration that with this setting enabled has defeated the purpose of the security layer. So don’t ever put this setting to enabled! Make sure that it’s disabled instead.
The next section is self explanatory. Allow domain user, or not domain user; to login using biometrics with whatever scheme the computer will support. The first one that is universal is the PIN, because you only need a keyboard, right. Afterward, if the computer support it, it can be a fingerprint reader or facial recognition (if the web cam supports it). Just below, you’ll also see that there is an additionnal option available named “Configure enhanced anti-spoofing”. This option will prevent the unlokcing of the device with using like a picture of your face. But again, not all web cam can support this feature, you’ll have to test it yourself to see if that works or not.
Now for the WHfB section itself, remember in part 1 where I mentionned that I wanted to use TPM version 2.0 minimum and not support TPM 1.2? This is what the first option is there for.
And for the next section, this if where the magic happen. We are enabling WHfB to use biometrics and we can use the cloud trust relationship we setup in part 2 using the “virtual” DC. At this point you now have everything you need to make it works.
The last section for the User Configuration is do we want to enforce the WHfB provisioning after the user login or not.
Adding security filterting on the GPO
Let’s add a cherry on top of all of this. Why not add a security group that if the user’s a member, then the GPO for enabling WHfB will be enabled. If the user is not a member, then WHfB will not be enabled. This can be easily accomplished by creating a new security group in the AD and add it to the scope of the GPO under Security Filtering. Make sure also to add the same group to the delegation tab for the filtering to work correctly
If all is good, after the GPO have been applied, you should be able to setup your WHfB PIN and other biometrics options available for your computer. Congratulation on making it this far on this journey!