Skip to main content

Integration Guide for Windows Desktop Login (Hybrid Join)

  • Updated

Introduction

This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for Hybrid Azure Active Directory domain joined devices. It covers:

  • Installation and configuration of Beyond Identity Domain Connector on Active Directory Domain Controller for key synchronization.
  • Setting up the Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider.
  • Installation and configuration of Beyond Identity Desktop Login Authenticator app.

Prerequisites

Beyond Identity Web SSO

  • Beyond Identity Web SSO configured
  • Super admin privileges on Beyond Identity Admin Console

Active Directory Side

  • Enterprise Admin privileges on AD Domain Controller(s)
  • AD Domain Controller(s) running on Windows Server 2016 or later version
    • AD Schema Version: Windows Server 2016 or later schema
  • Minimum required domain functional and forest functional levels for deployment is Windows Server 2008 R2
    • Server Manager > Domains and Trust > Right-Click on the Root Domain > Properties
  • AD Domain Controller must have following components
    • Active Directory Domain Services
    • Active Directory Certificate Services (Required for Server Certificate issuance and publishing 3rd party CA issued certificates) 
  • Kerberos Domain Controller (KDC) certificate must be deployed on the AD Domain Controller(s)
  • DNS Services must be running.
  • The service account used by the SSO AD Agent must be a member of the following groups:
    • Domain Users
    • Key Admin
    • Enterprise Key Admin
    • Administrators

AD Domain Controller dependency

If SSO AD Agent is not available or if you are using Microsoft SSO, Beyond Identity Domain Connector is installed as part of the WDL installation. You can install it on the AD Domain Controller itself or any domain joined server running Windows 2016 or later.

 

GPO policy requirements

You must have the ability to create and push GPO policies. If your GPO replication takes a long time, follow the GPO steps below to confirm the correct GPO policies are applied. This process continues the installation and testing without waiting for it.

  • You must have Azure AD Connect running and synchronizing users and keys between on-prem AD and Azure AD.

Client side device prerequisites

  • Physical access or a console session to the machine to enroll and use WDL
    • Enrollment or using WDL over an RDP session is not supported
  • Joined Hybrid Azure AD domain
  • Running Windows 10 (Build 1703 or later) or Windows 11
    • Must be a Pro or Enterprise License
  • Trusted Platform Module (TPM) 2.0 installed
  • Root & Intermediate certificates for Domain Controller deployed
  • Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO
    • App is replaced with Beyond Identity Desktop Login Authenticator App

NOTE: Devices may have a built-in or pluggable fingerprint reader as optional.

Beyond Identity Domain Connector installation and configuration

  1. Create (or use an existing) service account (e. g. biservice) and make it a member of the following groups:
    • Domain Users
    • Key Admin
    • Enterprise Key Admin
    • Administrators

  2. On the server where the Domain Connector is installed, ensure that the service account used has sufficient privileges to install system services.
  • Run gpedit.msc
  • Navigate toComputer Configuration>Windows Settings>Security Settings >Local Policies> User Rights Assignment.
  • In the details pane, double-clickLog on as a service.
  • ClickAdd User or Group and add the service account to the list of accounts. Once you have selected the user, click OK.
  • Click OK and close the policy editor.

 

  1. Login to Beyond Identity Admin Console and click on Integrations from the menu.
    • On the Settings page, click the Desktop Login tab.
    • On the Beyond Identity AD Connector click the arrow to Install this service.
    • Click Generate Key and record the newly generated key for use in the next step.

  1. Download the Beyond Identity Domain Connector on a domain joined server from here.
  2. Install the Beyond Identity Domain connector and enter the below values:
    • Access Key: <Use Key generated in a previous step>
    • Domain: Company domain (e.g. beyondadfs.com)
    • Username: service account name used to run the Beyond Identity Service (e. g. biservice@beyondadfs.com)
    • Password: <Service-Account-Password>

  1. Once the installation is complete, make sure the service Beyond Identity Domain Connector is running.

 

AD Server-Side Config

Create a Group for Desktop Login

In the following steps, we will create a group and assign users to participate in Beyond Identity desktop login service.

  1. Sign into AD DC as Domain Administrator.
  2. Launch Server Manager management console.
  3. Click Tools and then on the pull-down menu, click Active Directory Users and Computers.
  4. Right click on Users > New > Group, create a group named Beyond Identity Users.
  5. Then, add appropriate users to this group.

 

GPO Configuration to Enable Biometrics

In the following steps, we will create a new custom policy for the computers / devices participating in Beyond Identity Desktop Login Service. We will assign this to “Beyond Identity Users” group.

  1. Sign into AD DC as Domain Administrator.
  2. Launch Server Manager management console.
  3. Click Tools and then on the pull-down menu, click Group Policy Management.

  1. Double-click Domains, then right-click on the appropriate AD domain name and click Create a GPO in this domain and Link it here….

  1. Enter the Name as Beyond Identity GPO, then click OK.

  1. From the left navigation menu, right-click Beyond Identity GPO and click Edit.
  2. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Component > Biometrics section, and enable the following policies:
    • Allow the use of biometrics
    • Allow users to log on using biometrics
    • Allow domain users to log on using biometrics.

  1. Navigate to Computer Configuration > Policy > Administrative Templates > Windows Component > Windows Hello for Business section, and enable the following policy:
    • Use Biometrics

  1. Navigate to Computer Configuration > Policy > Administrative Templates > System > Logon, and enable the following policy:
    • Turn On Convenience PIN Sign in

  1. Follow the steps below to apply the GPO Policy to Beyond Identity Users group:
    • Under Group Policy Management, navigate to Group Policy Objects.
    • Double-click Beyond Identity GPO.
    • Click the Scope tab.
    • Under Security Filtering, add the Beyond Identity Users group.

  1. Click the Delegation tab, then click Advanced.

  1. Click Authenticated Users group and click Allow permissions for Read

  1. Click the Beyond Identity Users group and click on Allow permissions for Read, Create all child objects, Delete all child objects, and Apply group policy. Click Apply

  1. Under Group Policy Management, double-click on your primary domain and click on the Linked Group Objects tab. 
  2. Make sure the newly created Beyond Identity GPO has the link order 1. 

 

Client-side configuration

Apply the GPO Policy

  1. On a domain-joined Windows device, log in as a domain user with local administrator rights.

  2. Apply the GPO by running gpupdate /force in Windows PowerShell (Administrator mode), or simply reboot the machine.

  3. Verify that the GPO has been applied by running gpresult /r /v in Windows PowerShell (Administrator mode).

Install Beyond Identity Desktop Login 

  1. On a domain-joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
  2. Go to https://app.byndid.com/desktop-login/downloads and download MSI labeled Desktop Login for Windows.
  3. Ensure Beyond Identity Service service is running on the client before moving to the next step.

 

User Enrollment Process

1. Run the following command in Command Prompt or Windows PowerShell (Administrator mode):

dsregcmd /status

Verify that the output shows the following values:

  • Device State

    • AzureAdJoined: YES

    • DomainJoined: YES

  • Device Details

    • TpmProtected: YES

    • DeviceAuthStatus: SUCCESS

  • SSO State

    • AzureAdPrt: YES

    1.  

2. Open the Beyond Identity Authenticator app.

3. Select the profile already enrolled in Web SSO and click Enroll in desktop login.

4. Enter your domain password to start enrolling in Beyond Identity’s Desktop Login service.

  1. Enter your domain username/password on the Azure AD login screen.

  1. Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Press ENTER once you have entered the PIN.

  1. Confirm the PIN added in the previous step.
  2. Optionally, enroll fingerprints for biometric login and then click Finish Setup.

  1. Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.

User Login Process

  1. Log out or lock local screen.
  2. Choose the Beyond Identity login option.

  1. When prompted, use a fingerprint or enter a PIN to complete login.

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.