Unit 4: Implement an Authentication Solution Based on Windows Hello for Business
What is Windows Hello for Business
Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
The user’s credential:
- Is a certificate or asymmetric key pair tied to the device.
- Uses a biometric (face or fingerprint) or PIN as the gesture.
- Authenticates to Active Directory or Microsoft Entra ID.
✅ Asymmetric Key Pair
- WHfB generates a public/private key pair during enrollment.
- The private key is stored securely in the device’s TPM (Trusted Platform Module).
- The public key is registered with Microsoft Entra ID or your on-prem AD.
This replaces the password as the primary credential. The private key never leaves the device.
✅ Certificate-Based Option
- In certificate trust mode, WHfB issues a user certificate signed by your enterprise CA.
- The certificate is stored on the device and used for authentication to AD-integrated resources.
This is common in hybrid environments with on-prem AD and PKI infrastructure.
✅ “Tied to the device”
- The credential is bound to the device hardware—specifically the TPM.
- It cannot be exported, copied, or used on another machine.
- This ensures device-bound authentication and prevents credential theft.
Problems with passwords that Windows Hello solves:
- Strong passwords are hard to remember and often reused.
- Server breaches can expose passwords.
- Passwords can be replayed.
- Passwords are vulnerable to phishing.
How Windows Hello for Business Works – Key Points
- Credentials are based on certificates or key pairs.
- Credentials can be bound to the device, and tokens derived from them are also device-bound.
- Identity provider (AD, Entra ID, or Microsoft account) maps the public key to the user account during registration.
- Keys can be generated in:
- Hardware: TPM 1.2 or 2.0 for enterprises, TPM 2.0 for consumers.
- Software: When TPM is not available, depending on policy.
Two-factor concept:
- Something the user has: key/certificate tied to the device.
- Something the user knows or is: PIN or biometric.
- PIN and biometric do not roam between devices and are not shared with servers.
- Biometric templates are stored locally.
- PIN is never stored centrally.
The private key:
- Never leaves the device when using TPM.
- The server only has the public key, mapped to the user.
- PIN or biometric gesture triggers the device to sign data with the private key.
- The identity provider verifies this signature and authenticates the user.
Key container:
- Personal (Microsoft account) and corporate (AD or Entra ID) keys are stored in one container.
- Keys are separated by identity provider domain to protect privacy.
- Certificate private keys can be protected by the Windows Hello container and gesture.
Security Groups for Windows Hello for Business
To simplify deployment, you use security groups.
🔐 Where These Groups Live
- KeyCredential Admins is a custom group you create in on-prem Active Directory.
- KeyAdmins is a built-in group available in Windows Server 2016 domain controllers and newer.
These groups are used to delegate permissions within AD—specifically, to allow Microsoft Entra Connect (or other sync tools) to write the msDS-KeyCredentialLink attribute on user objects. That attribute stores the public key portion of a Windows Hello for Business credential.
KeyCredential Admins (or KeyAdmins)
- Used so Microsoft Entra Connect can synchronize public keys to Active Directory.
- Granted read/write permissions to the AD attribute storing keys.
- If the domain uses Windows Server 2016 domain controllers, the built-in KeyAdmins group is used instead of manually creating KeyCredential Admins.
Creating KeyCredential Admins (older environments):
- Sign in with Domain Admin equivalents.
- Open Active Directory Users and Computers.
- Enable Advanced Features.
- Right-click Users container > New > Group.
- Name it KeyCredential Admins.
- Assign the necessary permissions.
Windows Hello for Business Users Group
- Used to control which users can enroll and use Windows Hello for Business.
- Group Policy and certificate template permissions are assigned to this group.
- Makes phased rollout easier.
Steps:
- Sign in with Domain Admin equivalents.
- Open AD Users and Computers and enable Advanced Features.
- Right-click Users container > New > Group.
- Name it Windows Hello for Business Users.
- Add users who should be able to configure Windows Hello for Business.
Microsoft Pluton Security Processor
Traditional model:
- TPM is a separate chip.
- CPU and TPM communicate over a bus interface, which can be attacked if someone has physical access.
Pluton architecture:
- Security is built into the CPU itself.
- Eliminates the vulnerable CPU–TPM communication channel.
- Initially emulates a TPM and uses current TPM APIs.
- Protects credentials, identities, encryption keys and personal data.
- Data cannot be extracted even if malware is installed or the attacker has full physical access.
Traditional TPM Setup:
- The TPM chip is a separate physical component on the motherboard.
- The CPU talks to the TPM over a bus interface (like SPI or LPC).
- If an attacker has physical access, they could:
- Probe or intercept that communication.
- Potentially extract secrets like encryption keys or credentials in transit.
Pluton’s Approach:
- Pluton is built directly into the CPU die.
- There’s no external communication path between CPU and TPM—it’s all internal.
- This removes the attack surface that existed in the traditional model.
✅ Think of it like moving your vault inside the CPU, instead of keeping it in a separate room connected by a hallway someone could sneak into.
Pluton is a hardware security processor built directly into the CPU, and it emulates a TPM.
- In traditional systems, the TPM is a separate chip on the motherboard.
- With Pluton, the TPM functionality is integrated into the CPU die.
- It behaves like a TPM 2.0 device, using the same APIs, but with no external communication path.
✅ So when Pluton is active, it is the TPM—there’s no separate chip involved.
| Feature |
Traditional TPM |
Pluton |
| Location |
Separate chip |
Inside CPU |
| Communication |
External bus (vulnerable) |
Internal (sealed) |
| TPM Role |
Dedicated chip |
Emulated by Pluton |
Summary:
Pluton removes the exposed CPU ↔ TPM bus, preventing attackers from physically tapping into it.
🧨 What Does “Physical Access” Mean?
Most attackers are remote. But physical access attacks are a real concern in high-security environments. Here's what it means:
✅ Physical Access = Attacker Has the Device
- The attacker steals the laptop, server, or embedded device.
- They can:
- Open the case
- Probe the motherboard
- Attach logic analyzers or debug tools
- Try to extract secrets from chips or buses
This is common in targeted attacks, espionage, or supply chain compromise scenarios.
Key points:
- Built with AMD, Intel, Qualcomm, and others.
- Uses Security Hardware Cryptographic Key (SHACK).
- Considered an evolution or replacement of the TPM approach.
- Based on technology from Azure Sphere and Xbox security.