Windows Hello – it was working until November 2016?
If like me you’ve been using Windows Hello on your devices that are domain joined quite happily up until the November patch Tuesday, then all hell broke loose as Windows Hello was updated – however MS didn’t mention this, or at least I didn’t see anything. The net result was that domain joined PCs/devices that were using Hello (either PIN or biometric) stopped working and users had to go back to passwords to login…how last year! The KB is question that appears to have made the change was KB3199986.
At worse you’ll see something along the lines of “no logon servers were available to service your request”. If you are seeing either of these errors then the following will help you get this resolved.
So this KB update and consequential change sent me in to the wild world of Hello for Business (aka Windows Passport) which was a new world for me. Ok the basics are wrapped up in Windows authentication and Active Directory so it shouldn’t be that complicated, can it? Well the first thing every IT Pro will know is that when our friends at Redmond release a new product or an update the documentation on the various Microsoft sites can be, let’s say, lacking. This is the case with the documentation relating to configuring Windows Hello for Business. There are a couple of different ways to implement Hello for Business, these are certificate based and key based. The certificate based method requires a lot more investment in infrastructure services, if you don’t have them already i.e. SCCM, KPI servers etc. Give Microsoft credit they have realised that some customers don’t want to go down this route/cost. This is where the key based model comes in, however there is LOTs of information out there for building certificate based solutions but I couldn’t find anything for key based. The Microsoft documentation does pay lip-service to it but it lacks the guts that us IT pro’s need to get the ball rolling.
Windows Hello for Business – Prerequisites
So before we can get started implementing Windows Hello for Business we need to make sure that we have the parts in place to support it. Checking out the documentation on TechNet they helpfully provide a list of the components that we need here.
So the ingredients for Windows Hello for Business key based authentication are:
- Active Directory (on-premise)
- Azure Active Directory subscription
- Windows Server 2016 Domain Controller
- Azure AD Connect (AD sync from on-premise to Azure AD)
- Active Directory Group Policy (on-premise)
- Active Directory Certificate Services
There is lots of information out there that seems to suggest you need additional ingredients to get key based authentication for Windows Hello for Business working however the above list is all you need…trust me 🙂
My current environment – Windows Server 2012R2 Active Directory
So lets start with my current environment configuration, it is most likely very similar to yours in that I have a on-premise Active directory which is running Windows Server 2012R2 and schema. I have Azure AD connect running on one of my DCs that is syncing to Azure AD, which is also the AAD that is servicing my Office 365 tenant. I do have Intune enabled on this tenant but I can assure you now that is isn’t a pre-req for Windows Hello for Business key based authentication.
The PCs are currently using Windows Hello PIN and biometrics to authenticate – this is pre KB3199986. Everything at this stage is working fine…then KB3199986 lands and this triggers Windows Hello for Business which means that the current infrastructure will need to support this if the users are to continue using PINs and biometrics.
Windows Hello for Business – Windows Server 2016 Install
This first thing we need to do is install a Windows Server 2016 server. This is the only bit of new “stuff” you need to purchase for your infrastructure to support Windows Hello for Business. Assuming that you’ve purchased your license for Windows Server 2016 you can start.
Install Windows Server 2016 – I am not going to go through the process of installing Windows Server as I am sure you all know how to do that, and lets face it these days it is soo simple anyone can do it 🙂
First off, complete the following tasks:
- Install Windows Server 2016
- Install “Active Directory Domain services” feature
The next step is to promote this server to a domain controller within your existing domain. Now be aware that this process will update your Active Directory schema to 2016 (version 87), you can see your schema version by opening up ADSI edit, connecting to the schema, opening properties and locate objectVerison.
If you have services that are reliant on a version of AD schema to be present you may want to stop now and consult with your peers to determine the effect of a schema change on your organisation.
Assuming you’re happy to continue you can carry on and promote your new Windows Server 2016 to a Domain Controller. Again I am going to assume you know how to do this. Once the promotion has completed you can view the schema version in ADSI edit to confirm that everything was successful.
Windows Hello for Business – Install Active Directory Certificate Services feature
The next step is to install ADCS onto a server within your infrastructure. If you’ve already got this installed on your infrastructure you can skip this step. If you’re still with me then we’ll continue. In my case I didn’t have a ADCS service present on my infrastructure and as the ultimate goal will be to decommission my 2012R2 servers I decided to install ADCS onto my 2016 server.
From Server Manager select “Manage” -> “Add roles and features”
Select “Role-based or feature based installation”
Select the server you want to install ADCS onto from the list
Select “Active Directory Certificate Services”
Click on “Add Features”
Click “Next” on the “Select Features” screen
Ensure that only “Certificate Authority” is selected then click “Next”
Finally click on “Install”
Once installed click on “Close”
Windows Hello for Business – Configure Active Directory Certificate Services
From the server manager click on the notification flag and then click “Configure Active Directory Certificate Services on the..”
Enter the credentials of a user that is a member of the Enterprise Admins group
Select “Certification Authority” and click “Next”
Select “Enterprise CA” and click “Next”
Select “Root CA” and click “Next”
Select “Create a private key” and click “Next”
Check the defaults are set as shown and then click “Next”
You can take the defaults on this page, it will use the DC name and domain to construct the name, click “Next”
Set the expiry date and click “Next”
Set the database locations, in my case I’ve got my AD databases on a different drive so I’ve located the CA databases in the same drive, click “Next”
Finally check that the details provided in the confirmation window and click “Configure”
Hopefully after a few seconds you’ll see confirmation that everything went to plan, click “Close”
Windows Hello for Business – Setup Kerberos Authentication Root Certificate
Ok, so far we’ve installed a Windows 2016 server, added this to the 2012R2 active directory as a domain controller. Installed Active Directory Certificate Services on this server and configured it to be enterprise CA. The next step is to create the Kerberos Authentication certificate for the domain controllers. This is needed by Windows Hello for Business so it can authenticate the domain controllers, with out this Hello won’t authenticate on the local active directory.
Open MMC (Microsoft Management Console) and click on “File” -> “Add/Remove Snap-in..”
Select “Certificates” and click “Add”
Select “Computer Account” and click “Next”
Select “Local computer” and click “Finish”
Expand “Certificates” -> Expand “Personal” -> Expand “Certificates”. Click on “All tasks” -> “Request New Certificate”
Click on “Next” at “Before you begin” screen
The option should already be set to “Active Directory Enrollment Policy”, click “Next”
Check “Kerberos Authentication” and click “Enroll”
After a few moments you should get a “Succeeded” screen, click “Finish”
VERY IMPORTANT! You MUST create this certificate on every domain controller in your forest.
Windows Hello for Business – Azure AD Connect Re-sync
The good news is that we are almost there!! One last piece of the puzzle that without it you’ll never get Windows Hello for Business working properly, I know this because this one piece took me 3 days to discover….the good news is I won’t need a haircut for a while as I’ve pulled it all out!
The missing bit…..Azure AD connect! Now if you’re like me you’ve had this little product running happily in your current environment for some time, and because it take very little maintenance it can be overlooked when making changes the infrastructure. And what change have we recently made……we’ve updated the Active Directory schema will all sorts of goodies from Windows Server 2016 to support our new life on the cloud. However good old AD Connect has no idea we’ve done this so its happily syncing the stuff it knows about, which is where the problem lies. The extra attributes within the new schema are essential to getting Windows Hello for Business to work so we need to update AD Connect to replicate the new schema to AzureAD. The great news here is that is a pretty simple process, thank you Microsoft!
From the server that is currently running AD Connect double click on the application icon
Select “Refresh Directory Schema” and click “Next”
Enter the credentials of a global admin on your Azure AD, best practice is to use the same account that was used when the AD Connect was initially installed. Click “Next”
Select the domain you’d like to refresh and click “Next”
Check the “Start the synchronisation process when configuration completes” and click “Configure”
After a few minutes (depending on the size of your organisation) you’ll see the success page.
Windows Hello for Business – Group Policy Configuration
The last step is to configure Group Policy to enable Windows Hello for Business
Download the latest Windows 10 ADMX files from Microsoft here and update either your DCs or central store.
Once installed you can find the Windows Hello for Business GPO in:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Hello for Business.
The main option here is “Use Windows Hello for Business” and this needs to be set to “Enabled”
That’s it for the infrastructure side of things, you’re now ready to support Windows Hello for Business.
Windows Hello for Business – Client Configuration
Client configuration is a bit tricky because they could be at different stages. For example my users saw the following screen when they restated their PCs after the update was applied.
I am assuming this screen was shown because they had already had PIN/biometrics configured and Windows assumed that there was already a Windows Hello for Business infrastructure installed, which there wasn’t of course. In most cases the users have gone through the PIN wizard that follows the above screen and then discovered that the PIN/biometrics no longer work and have reverted back to passwords. However as soon as the infrastructure was is in place they will be able to start using their PIN/biometrics again with no additional configuration.
I did have a couple of test environments running when I was writing this blog, on one of the domains I couldn’t get the PIN/biometrics to work at all. I kept hitting strange errors when using the PIN like this:
There were a couple of differences between this domain and the domain that was working. These were this was connected to a Business Premium Office 365 tenant vs the working tenant which was a E3 tenant with AD Premium enabled. The other difference was this domain had a domain controller which was on an Evaluation license. The working domain all the DCs were using fully licensed servers. Once I removed the server running the evaluation license from the domain Windows Hello for Business started working properly. Now I don’t know if the issue was the eval license, maybe removing it from the domain changed something. The DC with the eval license was also running AD connect so I moved this to the Server 2016 DC. Again this action might have been what caused Windows Hello for Business to kick into life, I’m not sure. But I though it would be worth me nothing these experiences just in case it helps someone else in the future.