It’s up to you to integer this work into your security posture and evaluate impacts. I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept.
Obtain above with a sort of simplicity and costs control. 
Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On). Same credential can be used on prem and in cloud (if needed). Have only one identity with one strong credential. Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential. Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks). Use that solution to protect privileged accounts passwords. Configure a modern MFA solution to access on prem Windows 10 PC. The deployment might get complicated based on your current environment.I am here just to demonstrate that today is technically possible (Proof of Concept): WHfB is NOT the same as Windows Hello, even though it has exact same words in it (I know, right). Basically, WHfB replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. Authentication app is not supported for this scenario. You can still achieve passwordless login for domain accounts (hybrid or on-prem) using Windows Hello for Business (WHfB) via device PIN, biometrics, smart card or FIDO2 key. Also, it is currently in preview with no clear ETA, so it might not be ready for production yet.Īzure AD account or AD account on hybrid AAD hybrid-joined device or domain device Unfortunately it is supported only on Azure AD joined devices, but not on hybrid PCs. There is a feature which is called Web sign-in and it allows signing in to Windows using Azure AD account and Authenticator app. 
are fully supported for passwordless login to Windows 10/11 using Authenticator app.Īzure AD accounts (work or school) on Azure AD joined devices The solution would depend both on user account type and device type.Ĭurrently only personal Microsoft accounts (e.g.
0 kommentar(er)
