Configuring Windows Hello for Business Authentication
You can delegate user authentication from the Imprivata agent to Windows Hello for Business. In a deployment where Windows Hello for Business is configured as an authentication method:
-
The Imprivata agent is installed on all endpoint computers, but the Imprivata login module is unregistered. The user authenticates to Imprivata OneSign using a Windows Hello-compatible biometric device or PIN.
-
If the user policy is configured for single sign-on (SSO), the authenticated user continues to have access to their Imprivata OneSign SSO-enabled applications. The Imprivata agent continues to proxy all user credentials to enabled applications.
Prerequisites
Review the following prerequisites before you begin:
-
Your Imprivata user directory (domain) is hybrid joined Entra ID.
An on-premises Active Directory domain or an Entra ID cloud-only domain is not supported.
-
Verify that your Windows Hello for Business deployment is:
-
Functioning normally on your Windows endpoints, independently of OneSign.
-
Kerberos-enabled — When delegating authentication from the Imprivata agent to a non-Imprivata credential provider, such as Windows Hello for Business, Kerberos authentication is required.
-
-
A single-user (type 1) agent is installed on your Windows endpoints.
-
Support is limited to single-user (private) workstations.
-
Multiple Windows Desktop workstations, also known as multiple-user desktops (MUD), are not supported.
-
NOTE: For additional support information, see "Authentication Methods and Peripherals > Authentication" in the Imprivata OneSign Supported Components matrix.
Authentication Workflow
The following is an example of the authentication workflow:
-
A user authenticates to the private workstation using either a Windows Hello-compatible biometric device or PIN.
Everything associated with the user account, such as files, shares, and all other applications are available to them.
-
The user opens one or more applications that are enabled for SSO (profiled).
If an application profile is configured to share credentials with the domain, the user might be prompted for their credentials the first time they open the application:
- The user is prompted for their credentials because authentication has been delegated to Windows Hello for Business.
Because the user did not login through the Imprivata agent, their domain password remains unknown (unenrolled), and as a result cannot be proxied for SSO.
- The Imprivata agent learns the credentials, and subsequent login attempts to the application result in proxied credentials.
- The user is prompted for their credentials because authentication has been delegated to Windows Hello for Business.
Configuring Window Hello for Business Authentication
Configuring Windows Hello for Business authentication requires that you:
Step 1: Enable support for Kerberos authentication
When delegating authentication from the Imprivata agent to a non-Imprivata credential provider, such as Windows Hello for Business, Kerberos authentication is required.
For more information, see Configuring Kerberos Authentication.
Step 2: Configure a Computer Policy for the Windows Endpoints
Configure a computer policy that allows Kerberos authentication.
To configure the computer policy:
-
Go to the General tab > Authentication section.
-
Select Accept Kerberos authentication in place of OneSign authentication.
-
Go to the Walk-Away Security tab > Lock and warning behavior section. If the lock behavior is set to Desktop remains visible (transparent screen lock), set it to Obscure the desktop.
Authenticating with Windows Hello for Business does not support transparent screen lock.
-
Save the policy and apply it to the required Windows endpoints.
For more information, see Assigning Computer Policies.
If you updated the lock and warning behavior, see the following known issue.
Known Issue — SSO becomes Inactive after Login
This behavior occurs if the computer policy was previously configured for transparent screen lock. The behavior only occurs once, per Windows endpoint:
Symptom:
The workstation reaches the inactivity threshold and becomes locked.
When the user unlocks the workstation with a Windows Hello-compatible biometric device or PIN, the Imprivata agent might fail to identify the user. As a result, the Imprivata agent is disabled and SSO is inactive.
Workaround:
The user must log off and log back in. Locking/unlocking the workstation does not re-enable SSO.
