Battle for the planet of the Credential providers

Battle for the planet of the Credential providers

Choosing between Windows Hello or the Microsoft Authenticator App to login to your Windows 10 Azure Ad joined device can be hard, I hope this blog explains why.

Last Friday 09-04, I was experimenting with Windows Hello and trying to remove the Password Credential Provider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}.

It was a deep dive into Windows hello for business (WHfB) with all of its pro’s and con’s, that’s also the reason why I was very surprised and happy to listen to the MS Cloud It Pro podcast about the same subject.

Microsoft Cloud IT Pro Podcast – A Microsoft cloud podcast (msclouditpropodcast.com)

They did an excellent job explaining and trying to understand WHfB. After listening to the podcast I felt the urge to look for other possible solutions, so I did.

Back to last Friday… At the beginning of the day, I configured the first and second Hello unlock factors.

Of course, this is very important when you want to deliver some more MFA instead of only requiring a simple PIN. In my opinion, only requiring a PIN to unlock your device is not the safest solution out there.  A way better solution would be requiring two unlock factors.

I ended up requiring a PIN and facial recognition

But I was not satisfied yet. It’s definitely way better than only requiring a PIN but I felt like I was missing my most favourite sign-in option… Logging in with the Microsoft Authenticator. It’s obvious when you are requiring MFA, the Microsoft Authenticator App is what you need. It will increase the user experience a lot when you configured the password less option and the possibility to sign in with your phone.

So why not use it to log on to your Windows 10 device? Luckily this functionality is already out there some time.

What’s new in Windows 10, version 1809 – What’s new in Windows | Microsoft Docs

By now, everyone has already upgraded their Windows 10 device to a higher release… (I hope so). But when this feature was released, there were definitely some important notes…

In my opinion, it’s very weird I can not find any up to date information about this? Except for another warning when you want to configure the corresponding CSP.

That’s great, the same warning. I’m done with all the warnings, let see how and if it works. One thing I learned for sure, it really depends if you have an existing WHfB enrolled device or clean enrolled devices. I will show you my experience with my existing Windows 10 device.

To briefly sum up what I did to get this working properly and also some other information:

1. Conditional Access / Require MFA

2. Enable Microsoft Authenticator Password Less and Phone Sign in

3. Enable web sign in with a CSP

4. Force web login to be the first credential provider

5. Disable Hello with a device configuration policy

6. Remove OLD windows hello credential container

7. Disable post logon hello provisioning

8. The results

8b. UPDATE 15-04-2021. Don’t display LastloggedonUser

9. The cons and the password issue

10. The Hello Loop

1. Conditional Access

This one is obvious, you will need to require MFA when you want to access Microsoft 365.

2. Enable Password Less / Phone Sign In

Like I told you earlier in this blog, configuring the phone sign-in on your mobile authenticator app will give your end-users a great user experience when signing in. Some time ago I wrote a blog about this.

Back to the passwordless sign in. – Call4Cloud

3. Enable the Web Sign in

I created the two CSP like Microsoft was showing in their documentation. One to enable the Web Sign-in Option: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn

And one to configure the Preferred Aad Tenant DomainName: ./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName

Or if you don’t like to configure the custom CSP, configure it in Settings Catalog.

4. Force Web Sign in to be the default

Adding this CSP only activates the web sign-in option but I want this option to be the default option so I added this PowerShell script

$registryPath =  "HKLM:\Software\Policies\Microsoft\Windows\System"
$Name = "DefaultCredentialProvider"
$value = "{C5D7540A-CD51-453B-B22B-05305BA03F07}"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-Force | Out-Null}
ELSE {

New-ItemProperty -Path $registryPath -Name $name -Value $value `
-Force | Out-Null}

5. Disable WHfB

You can guess what happened, the Cloud Experience Credential Provider {C5D7540A-CD51-453B-B22B-05305BA03F07} was not the default sign-in option, WHfB was still in command.

Before I wanted to test it further I disabled WHfB with an Identity protection device configuration profile.

6. Remove the old Hello creds

But unfortunately, this is not sufficient, when you want to configure this on existing devices with hello configured you also need to remove the existing Windows hello credential container. You will need to run this command in the user session itself:

certutil /deletehellocontainer  

When you don’t want to this manually you could create a nice Intunewinapp which does this for you.

7. Disable Post Logon Provision (just to be sure)

To be sure WHfB has not the urge to say hello again after the user login, I also created this script to disable post logon hello provisioning

$registryPath =  "HKLM:\Software\Policies\Microsoft\PassportForWork"
$Name = "DisablePostLogonProvisioning"
$value = "1”
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -type "dword" -Value $value `
-Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -type "dword"  -Value $value `
-Force | Out-Null}

8. The Result

After some hard work, the results:

The sign-in screen, shows us only the option to click on sign in (or sign-in options..)

It immediately asks to “send a notification”

After pressing the correct number on my phone, Windows logged in without any problems. If you ask me… this is 100% MFA.

8b. Don’t display the last logged on user

UPDATE: 15-04-2021 After testing it on multiple tenants and multiple devices, I noticed the next thing: Sometimes logging in with a password was still the default provider.

I resolved it by configuring the: dontdisplaylastusername to 1 instead of 0

9. The Cons and the Password Credential Provider

Cons

But what about the cons, there must be some?

  • You will need to have internet access. Without Internet access, nothing is going to happen. But working without Internet Access with the Microsoft 365 apps can be difficult.  When are trying to sign in without Internet Access, you will be prompted with a warning.
  • Microsoft tells us not to use it in production? Why? Does anyone know the answer?
UPDATE 02-08-2021 …. Duhhhh!

“Web sign-in is not to be used as your daily driver for login. Also unlocks/logins with Web sign-in do not and will not get SSO to on-prem resources. “

So reading the stuff above.. please read my blog about SSO to get the full picture and why using the Weblogin will destroy this. (Still need to test it myself)

Fantastic MR. SSO – Call4Cloud SSO with multiple customers from one AD

  • Only requiring this only sign-in option is not the best practice, just like the Break glass account. You will need to have an additional sign-in option.
  • And here comes the pain… you still can log in the old school way, with your password.

Password Credential Provider

From the Hello deep dive to Web Sign in to the Password problem. To dig a little bit deeper on the password credential provider. When you want to remove this option, be my guest but I am not recommending it (for now…). Because when you disable or remove the credential provider from the login screen you are also disabling the possibility to enter a password when you want to: Run As / Run as admin / UAC prompts

Not having the possibility to use the run as an option, could give you a lot of problems when you want to run something as admin when a user has problems on his Windows 10 device.

But if you want to disable it, you can do this by creating a new registry key: Disabled

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

Or even better when you still want to remove the password credential provider use the settings Catalog when you are using the Insider Preview!

Just search for “Exclude credential providers”

10. The Hello loop

Now we have seen, how you could configure the web sign-in option. I was also intrigued if it was possible to only require Windows hello when you want to login. This part has nothing to do with the rest of the blog but I needed to show it. The idea sounded great at first.

I added this registry key : scforceoption with the value: 1

Interactive logon: Require smart card – security policy setting:

Interactive logon Require smart card – security policy setting (Windows 10) – Windows security | Microsoft Docs

And yes…. I was required to log in with Windows Hello, great I thought at first but the “RUN AS” key was also prompting us to enter our PIN, but the local admin user has no hello configured yet?

So I logged in and tried to logon as the local admin to setup Windows Hello, you can again guess what happened:

Loop created: So I need to use Windows Hello to sign in but I need to login before I could configure Windows Hello. Sounds like the chicken and the egg problem.

Conclusion:

One thing is for sure, you need MFA on your Windows 10 device. Requiring WHfB is a perfect start but only requiring a PIN is not very safe if you ask me. When you are using WHfB please set up multiple unlock factors.

I really don’t know why Microsoft tells us to use Windows Hello instead of the Microsoft Authenticator app. DUO security is doing exactly the same thing and everyone wants to use it, so why not using the Microsoft Authenticator app?

The only two reasons I can think of are

  1. When you don’t have Internet access but when you don’t have internet access you still could log on with your password or another credential provider.
  2. Logging in with Windows Hello is a lot time faster

I can’t think of any other reasons/problems or security reasons …these reasons still does not change the fact I love the Microsoft Authenticator App

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  14  =  19