Passwordless using FIDO2 security key with HoloLens 2

Introduction

Some time ago I was asked by FEITIAN if I would like to test their FIDO2 key. I said yes, because I am in a project where we will onboard Microsoft HoloLens’s in production, in that journey, we will make use of FIDO2 keys + Windows Hello for Business to meet our password-less journey and to make the usability much better and stay secure.

On our blog we have already written about FIDO2 and the password less journey here and here, but I wanted to put the HoloLens angle to the use case of FIDO2.

The key I am using is the K40

ePass FIDO® -NFC Series Duo-interface Security Keys | FEITIAN (ftsafe.com)

 

Here is some scenarios how to determine your authentication model, where we in this blog post will be focusing on the Frontline worker.

Persona	Scenario	Environment	Passwordless technology
Admin	Management tasks	Windows 10 device	WHfB and / or FIDO2
Admin	Management tasks	Mobile or non-windows	Authenticator app
Information worker	Work	Windows 10 device	WHfB and / or FIDO2
Information worker	Work	Mobile or non-windows	Authenticator app
Frontline worker	Factory, plant, retail	Shared windows 10	FIDO2

Requirements

• AAD P1
• Endpoint Manager
• Microsoft compatible FIDO2 key
• For AAD only Windows 10 1903 or higher
• For hybrid Windows 10 20H1 or higher
• Combined security registration
• MFA

 

Compatible FIDO’s

Here is a list of compatible FIDO’s. You can also follow the link for more information and with link to the different vendors.

Source: Azure Active Directory passwordless sign-in | Microsoft Docs

Combined registration

Before combined registrations were here, users had to register one place for MFA and again for self-service password reset. Now they are “Combined” and easier to register for the users.

Go to the azure portal https://portal.azure.com/

 

As you can see new tenants have this setting by default. It has been like this since 15^th august 2020.

 

Best practice is to also create a Conditional Access rule to only allow access to combined registrations from a trusted location. More about that here:

Enable combined security information registration - Azure Active Directory | Microsoft Docs

 

Enable FIDO2 security key method

Before users will be able to use FIDO as an authentication method, it must be enabled in the tenant. This can be done for all users or only for a specific group.

Sign into the azure portal

https://portal.azure.com/

 

Set settings as specified and Save

 

Seen from the user’s perspective - User registration of FIDO2

Sign into security info

https://aka.ms/mysecurityinfo/

Authenticate with your credentials

Add method

 

Security key and press add

 

You will need to provide MFA

 

Insert the FIDO key into your device

 

Add a pin

 

touch the FIDO and hold your finger on it until it prompts for a name.

Give it a name

Not very hard? I Think it is easy but maybe some non-techie would have trouble doing this. Luckily this is only to be done once and then the user will be good to go just using the FIDO.

 

Configuring Windows Hello for Business for HoloLens

Sign in to https://endpoint.microsoft.com/#home

Create profile

 

Choose this platform that this profile type. Press create.

 

Naming structure – HL2 = Hololens 2

 

Add settings

 

Before searching for your settings make sure you only search on the platform for what you need your policy to support. Add filter choose Holographic for Business

 

I’ve chosen to have a minimum of 6 pin length to level up on security.

Also, I require the device to have a TPM.

I allow the device to use security key for sign in.

Click Next

 

If you do not already have a group for HoloLens’s, you can create one and preferable a dynamic group.

Select and click next

 

Click next

 

Click Create

 

Windows 10 login experience using FIDO

I currently don’t have a HoloLens to do this on, but seen on a regular Windows 10 device, this is the process how to logon.

 

Insert pin to your FIDO key

 

Touch the FIDO key so it knows you are physically at the device.

 

Summary

To raise the security in your company introducing passwordless is a good idea. At the same time, your users might actually love it. Now the FIDO2 scenario and HoloLens 2 are a perfect fit for each other. Go try it out yourself.

Happy testing!

 

Sources:

Azure Active Directory passwordless sign-in | Microsoft Docs

Passwordless security key sign-in - Azure Active Directory | Microsoft Docs

Limiting password use | Microsoft Docs

Block personally owned devices in Intune with enrollment restrictions

 

Introduction

Today I will be looking at enrollment restrictions in Intune, which is a method to block personally owned devices. Did you know that all users (with an Azure AD P1 and Intune license) in your Azure AD by default is allowed to enroll (Azure AD join) their devices into Intune, they will then get all of your company configuration and local admin permission on the device.

So, with that in mind and looking from a security point of view, I would not recommend that all users can enroll their own devices, and I think that every organizations should consider which devices can be enrolled into their Intune environment.

I will show you how to restrict the enrollment of personally owned Windows devices for all users, but still make it possible for a few trustworthy users (e.g. IT staff)

Requirements

• Azure Active Directory
• Azure AD P1 (Azure Active Directory Premium licensing)
• Microsoft Endpoint Manager
• Microsoft Intune License (Microsoft Intune licensing)

First some important knowledge

Before I show you how to restrict the enrollment of personally owned devices for all users, it is important to know a few things first. Like for instance that there are two types of device ownership in Intune:

Personal devices - These devices are registered in Azure AD (Azure AD registered) and enables the user to access your organizations Azure AD controlled resources - Bring your own devices (BYOD)

Corporate devices - These devices are joined to Azure AD (Azure AD joined) and enables the user to access both cloud and on-premises apps and resources - Corporate-owned devices (COD)

Visit the Microsoft Docs to read more about Azure AD joined devices and Azure AD registered devices

There are two locations from where you can restrict device enrollment. The first location is device settings in Azure AD, which is like a main switch it's either on or off. In device settings it is not possible to distinguish between users/type/version etc. Or create multiple groups with different settings - the field “Users may register their devices with Azure AD” will be grayed out and set to “All” when Intune is configured in your tenant.

Note. If you haven't configured Intune in your tenant, this is where you can restrict users from Azure AD join their devices.

The other location is enrollment restrictions in Intune, from here you will be able to distinguish between users/type/version etc. And create multiple groups with different settings - which I will demonstrate further down in this blog post.

It's also important to know that if you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.

The following methods qualify as being authorized as a Windows corporate enrollment:

• The enrolling user is using a device enrollment manager account
• The device enrolls through Windows Autopilot
• The device is registered with Windows Autopilot but isn't an MDM enrollment only option from Windows Settings
• The device's IMEI number is listed in Device enrollment > Corporate device identifiers
• The device enrolls through a bulk provisioning package
• The device enrolls through GPO, or automatic enrollment from Configuration Manager for co-management

The following enrollments are marked as corporate by Intune. But since they don't offer the Intune administrator per-device control, they'll be blocked:

• Automatic MDM enrollment with Azure Active Directory join during Windows setup*
• Automatic MDM enrollment with Azure Active Directory join from Windows Settings*

The following personal enrollment methods will also be blocked:

• Automatic MDM enrollment with Add Work Account from Windows Settings*
• MDM enrollment only option from Windows Settings

* These won't be blocked if registered with Autopilot.

Source: Microsoft Docs

Block personally owned devices

By default all users can enroll their devices.

As you can see in the below picture, Annie (my wife) was able to enroll (Azure AD join) her device.

 

But since I do not trust her social media infected devices - let's change that possibility.
Go to https://endpoint.microsoft.com/

Click on “Devices” and select “Enrollment restrictions” from the “Policy” section.
Select “All Users” in the name column for the default policy.

Click on “Properties” and select “Edit”

In this demonstration I have blocked the “Android device administrator” platform because Google is deprecating device administrator support in new Android releases. I will recommend the modern and more secure device management “Android Enterprise (work profile)” and then I've blocked all personally owned devices for all users by default.

Click “Review + save”

Click “Save”

Now that I have blocked personally owned devices in my default policy, we should only be allowed to Azure AD register our devices. Let's switch back to our two Windows 10 devices and confirm that it actually work.

First I will try to Azure AD register my device (SUNE-PC) which should still work.
Go to “Windows Settings” and click on “Accounts”

Click on “Access work or school” and select “Connect”

Enter your “email address” and click “Next”

Click “OK”

Click “Done”

Success! - Managed by mddprov account. My device is now Azure AD registered.

Let's try to Azure AD join my wife's device (ANNIE-PC) and confirm that it is now being blocked.
Go to “Windows Settings” - “Accounts” - “Access work or school” and select “Connect”

Click on “Join this device to Azure Active Directory” and click “Next”

Enter your “email address” and click “Next”

She will still be prompted to join the organization.
Click “Join”

Oh, something went wrong. Awesome! - bye bye social media infected devices.

But she will still be able to Azure AD register her devices, which is OK.

Some might then ask - But what will happen if you configure your mail and forget to uncheck “Allow my organization to manage my device”? Well, let's test it… So as you can see in the below GIF it will only Azure AD register your device.

If you are happy with just blocking all personally owned devices in Intune - read no further. But keep on reading if you want to know how to allow personally owned devices for trustworthy users (e.g. IT staff)

Allow personally owned devices for trustworthy users

Okay, so we have now successfully blocked all personally owned devices by default, mine included! But I want to allow myself to Azure AD join my devices (because I'm that trustworthy IT guy…)

Go to https://endpoint.microsoft.com/
Click on “Groups” and then click “New group”

Select “Security” as group type and give it a friendly group name and description (optional).
Select “Assigned” in membership type and select members. Click “Create”

Here you can see properties and membership for my security group.

 

Now that we have created a security group with my account added to it, we then need to create a new enrollment restriction policy that allow personally owned devices.

Click on “Devices” and select “Enrollment restrictions” from the “Policy” section.  
Click on “Create restriction” and select “Device type restriction”

Give the policy a friendly name and description (optional)
Click “Next”

Block the “Android device administrator” platform like we did earlier in the default policy and click “Next”

Click “Next”

Add the newly created security group and click “Next”

Click “Create”

It is also possible to limit the amount of devices which can be enrolled by a user by simply click on “All Users” for the default policy or add a new policy for the newly created security group. By default this limit is set to 5 and the max is 15 devices.

Let's switch back to my Windows 10 device (SUNE-PC) and confirm that I'm able join it to Azure AD.
Go to “Windows Settings” - “Accounts” - “Access work or school” and select “Connect”

Click on “Join this device to Azure Active Directory” and click “Next”

Enter your “email address” and click “Next”

Click “Join”

Success! - Managed by OSDSune.Mindcorelab.

In Azure AD we should see that Annie's device is Azure AD registered and my device is Azure AD joined and managed by Intune.

And from Microsoft Endpoint Manager admin center we should see that Annie wasn't able to enroll her device as personal.

Go to https://endpoint.microsoft.com/
Click on “Home” and select “Device enrollment”

We can also confirm the result by running this command line locally on the devices.
dsregcmd /status

Summary

That's it folks. Now you know how to block personally owned Windows devices in Intune, but still allow a few trustworthy users to enroll (Azure AD join) their devices. I've explained a few important information's and shown you how to confirm and check the results.

Happy testing!

If you have any questions regarding this topic, feel free to reach out to us.