On-Prem AD, Windows Hello Question

Posted by thegreatcerebral@reddit | sysadmin | View on Reddit | 14 comments

I am looking into setting up Windows hello for our on-prem domain. We have 0 365 services. I am new to Windows Hello but I'm interested in setting it up. If I am understanding correctly User1 using PC1 logs in and is prompted to setup their PIN/Face/Fingerprint. That information is stored locally for that machine which allows them to login with the PIN. If User1 moves to PC2 after lunch to cover for someone. My assumption is that they will need to use their password to login and then they will be prompted to create a PIN for that machine. User1 can use the same PIN or a different PIN which is stored on that PC. 1. Is it common for people to forget their passwords due to logging in with a PIN so you should increase complexity of the password and the time at which it expires (6 months, 20 characters) OR just leave it as is with a shorter(45 days, 12 characters)? 2. Does the input of incorrect PINs hit the user account or is it hitting the locally stored PIN and is treated separate? 3. On PC2, if it has been a while since the user logged in and their domain password changed since they last used it, what happens when they login with their PIN (assuming they used the same or we are using fingerprint)? 4. Is there a way to allow a user to reset their PIN on a machine if they forgot it? BTW I'm probably looking to use fingerprints but we have some places where a PIN may be the only other option for what we do and our setup.

Reply to Post

14 Comments

[-]

YourOnlyHope__@reddit

for 1) id say if end users are primarily going to log in with Windows Hello and PIN than their passwords shouldnt ever expire. People would forget them at a very high rate and open up the org to threats around password resets. Resets should be rare when MFA is enforced.

[-]

thegreatcerebral@reddit (OP)

Thanks. That is what I was thinking. How does that match any kind of "password change" policy where they want x characters, and changed every y days?

[-]

YourOnlyHope__@reddit

You want to remove the requirement that they be changed. Still keep a complexity requirement or even make it stricter which can help with dictionary attacks as its more likely to be unique. Its the changing part that causes all sorts of problems.

[-]

mikewinsdaly@reddit

PIN and face recognition in my experience played a big part in users forgetting their passwords, leading to large influx of password reset tickets when the password expires. This would also lead into other systems that depend on authentication breaking, such as the patch management system.

[-]

thegreatcerebral@reddit (OP)

So... question though do you need to have them change their PIN ever? Or what happens when they forget their PIN and try many times, do they get locked out?

[-]

mikewinsdaly@reddit

Assuming they don't know their network password, IT would need to reset their network password, have them in the office, and re-login with the temp password which requires a new password to be set immediately. They could reset their pin stuff after that.

[-]

RyanLewis2010@reddit

Last I looked into this, it was a big cluster involving certs and a lot of setup not worth the investment. Especially when we are hybrid and all our apps are SSO off the PC password so if they forget it they get boned and need to reset everything.

[-]

thegreatcerebral@reddit (OP)

Well... sadly I'm looking into it because it is the cheaper option than installing and running DUO on everything. lol I still have so many questions.

[-]

RyanLewis2010@reddit

Good luck if you do manage to get it running reliably please write up a doc for it. As for duo I strongly advise that route. We currently use it works great and at 3$/user/month it’s definitely worth it especially if you are in any industry that requires compliance.

[-]

thegreatcerebral@reddit (OP)

Well a big hurdle I have for this is our "no cellphone" policy. ...I forgot to mention that didn't I? Thankfully I'm not Hybrid and all On-Site so it SHOULD be nice and ...extremely a pain in the you know what to setup. But I have setup a CA before internally so I SHOULD be able to do it. For me it will come down to I may not have enough server licenses as I may need a few more to support the setup. My old place had a datacenter license so that was fun to do things with.

[-]

RyanLewis2010@reddit

Ah yeah that can be a pain. I’m glad to see still have some old school places. My place is mostly old school but hybrid where it’s needed, we are rolling out a new store that the brand won’t let us have desktops so everyone is getting Dell tablets that are all managed thru Intune since imaging something with a dongle is more trouble than it’s worth and all their employees will have f3 licenses so they will be the only ones that get to use windows hello all the other stores are stuck with domain and SSO with duo.

[-]

thegreatcerebral@reddit (OP)

That sounds fun. Yea I just got this gig 2 months ago. We are working towards a lot of different compliances and well MFA seems to be one. Don't tell anyone I told you but ...we have a XP Embedded machine along with an AS/400.

[-]

DaithiG@reddit

PIN is fine but you shouldn't expire their passwords unless you have a reason to. Look at Cloud Trust also, to get away from certs A reason we can't move to PIn only is that our DR site means users log in via their AD credentials and I don't fancy resetting every password if we do have a DR issue.

[-]

thegreatcerebral@reddit (OP)

Ahhhh... ok. i'll look. Thanks.