Last Updated on February 28, 2023 by rudyooms

Choosing between Windows Hello or the Microsoft Authenticator App to log in to your Windows 10 Azure Ad joined device can be hard, I hope this blog explains why.

UPDATE 17-09-2021

The Web-Sign isn’t working, it’s now restricted to be used only with TAP!!!

What’s new in Windows 10, version 1809 – What’s new in Windows | Microsoft Docs

“Going forward, web sign-in will be is restricted to only support Azure AD Temporary Access Pass (TAP).

So please…pretty please… do not use the Web Sign-in anymore when you are not using TAP! (I am not removing this blog because it still shows you how a lot of information about the credential providers)

Background Information

Last Friday 09-04-2021, I was experimenting with Windows Hello and trying to remove the Password Credential Provider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}.

It was a deep dive into Windows hello for business (WHfB) with all of its pros and cons, that’s also the reason why I was very surprised and happy to listen to the MS Cloud It Pro podcast about the same subject.

Microsoft Cloud IT Pro Podcast – A Microsoft cloud podcast (msclouditpropodcast.com)

They did an excellent job explaining and trying to understand WHfB. After listening to the podcast I felt the urge to look for other possible solutions, so I did.

First and Second Hello Unlock Factors

Back to last Friday… At the beginning of the day, I configured the first and second Hello unlock factors.

These are the Credential providers you can choose from.

Of course, this is very important when you want to deliver some more MFA instead of only requiring a simple PIN. In my opinion, only requiring a PIN to unlock your device is not the safest solution out there.

Why you might ask? In my opinion, A lot of people are using a simple pin code or when you allow the possibility to use all characters they just enter their Microsoft 365 password as Pincode. A way better solution would be requiring two unlock factors.

And not to forget the Facial Recognition! I love the facial recognition, luckily it’s possible and supported to add an external Windows Hello Cam in 21H1. I guess everyone with a Notebook and a docking station is familiar with this problem. Using a notebook and closing the lid when attaching it to your docking station makes it very hard to use the cam for Facial recognition.

Don’t get me wrong, not using WHfB is way way worse than using a PIN. Of course, WHfB satisfies the requirements for MFA in AAD but there is more to this story!

Back to the unlock factors! I ended up requiring a PIN and facial recognition

But I was not satisfied yet. It’s definitely way better than only requiring a PIN but I felt like I was missing my favorite sign-in option… Logging in with the Microsoft Authenticator!

MFA Authenticator App

It’s obvious when you are requiring MFA, the Microsoft Authenticator App is what you need. It will increase the user experience a lot when you configured the password-less option and the possibility to sign in with your phone.

So why not use it to log on to your Windows 10 device? Luckily this functionality is already out there some time.

What’s new in Windows 10, version 1809 – What’s new in Windows | Microsoft Docs

By now, everyone has already upgraded their Windows 10 device to a higher release… (I hope so). But when this feature was released, there were definitely some important notes…

In my opinion, it’s very weird I can not find any up to date information about this? Except for another warning when you want to configure the corresponding CSP.

That’s great, the same warning. I’m done with all the warnings, let’s see how and if it works. One thing I learned for sure, it really depends if you have an existing WHfB enrolled device or a clean enrolled device. I will show you my experience with my existing Windows 10 device.

To briefly sum up? what I did to get this working properly and also some other information:

1. Conditional Access / Require MFA
2. Enable Microsoft Authenticator Password Less and Phone Sign in
3. Enable web sign in with a CSP or Settings Catalog
4. Force web login to be the first credential provider
5. Disable Hello with a device configuration policy
6. Remove OLD windows hello credential container
7. Disable post logon hello provisioning
8. The results
9. UPDATE 15-04-2021. Don’t display LastloggedonUser
10. The MFA App Cons (SSO?)
11. The Password issue
12. The Hello Loop
13. The Web login Issue

1. Conditional Access

This one is obvious, you will need to require MFA when you want to access Microsoft 365.

2. Enable Password Less / Phone Sign In

As I told you earlier in this blog, configuring the phone sign-in on your mobile authenticator app will give your end-users a great user experience when signing in. Some time ago I wrote a blog about this.

Back to the passwordless sign in. – Call4Cloud

3. Enable the Web Sign in

I created the two CSPs as Microsoft was showing in their documentation. One to enable the Web Sign-in Option: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn

And one to configure the Preferred Aad Tenant DomainName: ./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName

Or if you don’t like to configure the custom CSP because it lacks some good reporting. Just configure it in Settings Catalog as this is the preferred way!

4. Force Web Sign in to be the default

Adding this CSP only activates the web sign-in option but I want this option to be the default option so I added this PowerShell script as this option isn’t available in the Settings Catalog

$registryPath =  "HKLM:\Software\Policies\Microsoft\Windows\System"
$Name = "DefaultCredentialProvider"
$value = "{C5D7540A-CD51-453B-B22B-05305BA03F07}"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-Force | Out-Null}
ELSE {

New-ItemProperty -Path $registryPath -Name $name -Value $value `
-Force | Out-Null}

Update 10-12-2021

While looking for some other settings I stumbled upon this nice new addition: “Assign a default credential provider” So it should be possible now to assign the default credential provider!

In the example above, I configured the Web Sign as the default provider, like mentioned at the beginning of this blog, you can only use the web sign-in for TAP and nothing more! So maybe configuring the Hello Pin option is a better idea:

{D6886603-9D2F-4EB2-B667-1971041FA96B}

Please note, you will need the proper license to use this CSP

5. Disable WHfB

You can guess what happened, the Cloud Experience Credential Provider {C5D7540A-CD51-453B-B22B-05305BA03F07} was not the default sign-in option, WHfB was still in command.

Before I wanted to test it further I disabled WHfB with an Identity protection device configuration profile.

6. Remove the old Hello creds

But unfortunately, this is not sufficient, when you want to configure this on existing devices with hello configured you also need to remove the existing Windows hello credential container. You will need to run this command in the user session itself:

certutil /deletehellocontainer  

When you don’t want to do this manually you could create a nice Intunewinapp which does this for you.

7. Disable Post Logon Provision

To be sure WHfB has not the urge to say hello again after the user login, I also created this script to disable post logon hello provisioning

$registryPath =  "HKLM:\Software\Policies\Microsoft\PassportForWork"
$Name = "DisablePostLogonProvisioning"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -type "dword" -Value $value `
-Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -type "dword"  -Value $value `
-Force | Out-Null}

8. The Result

After some hard work, the results:

The sign-in screen shows us only the option to click on sign-in (or sign-in options..)

It immediately asks to “send a notification”

After pressing the correct number on my phone, Windows logged in without any problems. If you ask me… this is 100% MFA.

8b. Don’t display the last logged on user

UPDATE: 15-04-2021 After testing it on multiple tenants and multiple devices, I noticed the next thing: Sometimes logging in with a password was still the default provider.

I resolved it by configuring the: dontdisplaylastusername to 1 instead of 0

9. The MFA App Cons

But what about the cons, there must be some?

1. Let’s start with an easy one. You will need to have internet access. Without Internet access, nothing is going to happen. But working without Internet Access with the Microsoft 365 apps can be difficult.  When are trying to sign in without Internet Access, you will be prompted with a warning.

2. Microsoft tells us not to use it in production? Why? Here is what Daniel Stefaniak had to say about it!

“Web sign-in is not to be used as your daily driver for login. Also unlocks/logins with Web sign-in do not and will not get SSO to on-prem resources. “

Of course, when Daniel tells us something there is like a 100% chance he is right but then again, I wanted to take a look for myself if the SSO would break to your on-premise servers. Looking at the picture below! Yes, it does break pretty good!

So reading the stuff above.. please read my blog about Kerberos and SSO to get the full picture and why using the Weblogin will destroy this.

Deliver us from Hybrid

Only requiring this only sign-in option is not the best practice, just like the Break glass account. You will need to have an additional sign-in option. And here comes the pain… you still can log in the old school way, with your password.

10. Password Credential Provider

From the Hello deep dive to Web Sign in to the Password problem. To dig a little bit deeper into the password credential provider. When you want to remove this option, be my guest but I am not recommending it (for now…). Because when you disable or remove the credential provider from the login screen you are also disabling the possibility to enter a password when you want to: Run As / Run as admin / UAC prompts

Not having the possibility to use the run as an option, could give you a lot of problems when you want to run something as admin when a user has problems on his Windows 10 device.

But if you want to disable it, you can do this by creating a new registry key: Disabled

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

Or even better when you still want to remove the password credential provider use the Settings Catalog as shown below. Just search for “Exclude credential providers“

11. The Hello loop

Now we have seen, how you could configure the web sign-in option. I was also intrigued if it was possible to only require Windows hello when you want to login. This part has nothing to do with the rest of the blog but I needed to show it. The idea sounded great at first.

I added this registry key : scforceoption with the value: 1

Interactive logon: Require smart card – security policy setting:

Interactive logon Require smart card – security policy setting (Windows 10) – Windows security | Microsoft Docs

And yes…. I was required to log in with Windows Hello, great I thought at first but the “RUN AS” key was also prompting us to enter our PIN, but the local admin user has no hello configured yet?

So I logged in and tried to logon as the local admin to set up Windows Hello, you can again guess what happened:

Loop created: So I need to use Windows Hello to sign in but I need to log in before I could configure Windows Hello. Sounds like the chicken and the egg problem.

12. The Web Login Issue

In my first setup, everything was working directly without any issues, but after trying to implement this possibility to log in with the Authenticator on an existing tenant to test the SSO to the on-premise file server it wasn’t working!

I ended up trying to click on the Web Login button, but after clicking on it, nothing happened.

So what’s up? After spending some time trying to solve why the web login wasn’t working I totally forget to look at some other functionality you could have on the login screen.

As shown above, the Self Service Password Reset (SSPR) functionality also wasn’t working. You can enable this with a CSP and of course, SSPR must be enabled for your user. If you are using Azure ad connect, Password writeback is one not to forget!

• OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
• Data type: Integer
• Value: 1

Luckily the documentation about SSPR is way better than the documentation about the web login… but it’s the same issue

Take a look at the documentation and the UAC issue

Self-service password reset for Windows devices – Azure Active Directory | Microsoft Docs

User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.

Okay, to briefly sum up. People who are in the right state of mind won’t disable UAC, no matter what! But this time it was a test VM, so… don’t blame me this time:)

Conclusions:

One thing is for sure, you need MFA on your Windows 10 device. Requiring WHfB is a perfect start but only requiring a PIN is not very safe if you ask me. When you are using WHfB please set up multiple unlock factors.

I really don’t know why Microsoft tells us to use Windows Hello instead of the Microsoft Authenticator app. DUO security is doing exactly the same thing and everyone wants to use it, so why not use the Microsoft Authenticator app?

The only 3 reasons I can think of are

1. When you don’t have Internet access but then again when you don’t have internet access you still could log on with your password or another credential provider.
2. When you want to have an SSO to your legacy on-premise file server, a web sign is not going to work for you!
3. Logging in with Windows Hello is a lot faster

I can’t think of any other reasons/problems or security reasons …these reasons still do not change the fact I love the Microsoft Authenticator App