Configuring Windows Hello for Business Authentication

You can delegate user authentication from the Imprivata agent to Windows Hello for Business. In a deployment where Windows Hello for Business is configured as an authentication method:

  • The Imprivata agent is installed on all endpoint computers, but the Imprivata login module is unregistered. The user authenticates to Imprivata Enterprise Access Management using a Windows Hello-compatible biometric device or PIN.

  • If the user policy is configured for single sign-on (SSO), the authenticated user continues to have access to their Imprivata SSO-enabled applications. The Imprivata agent continues to proxy all user credentials to enabled applications.

Prerequisites

Review the following prerequisites before you begin:

  • Your Imprivata user directory (domain) is hybrid joined Entra ID.

    An on-premises Active Directory domain or an Entra ID cloud-only domain is not supported.

  • Verify that your Windows Hello for Business deployment is:

    • Functioning normally on your Windows endpoints, independently of Enterprise Access Management.

    • Kerberos-enabled — When delegating authentication from the Imprivata agent to a non-Imprivata credential provider, such as Windows Hello for Business, Kerberos authentication is required.

  • A single-user (type 1) agent is installed on your Windows endpoints.

    • Support is limited to single-user (private) workstations.

    • Multiple Windows Desktop workstations, also known as multiple-user desktops (MUD), are not supported.

NOTE: For additional support information, see "Authentication Methods and Peripherals > Authentication" in the Imprivata Enterprise Access Management-SSO Supported Components matrix.

Authentication Workflow

The following is an example of the authentication workflow:

  1. A user authenticates to the private workstation using either a Windows Hello-compatible biometric device or PIN.

    Everything associated with the user account, such as files, shares, and all other applications are available to them.

  2. The user opens one or more applications that are enabled for SSO (profiled).

    If an application profile is configured to share credentials with the domain, the user might be prompted for their credentials the first time they open the application:

    • The user is prompted for their credentials because authentication has been delegated to Windows Hello for Business.

      Because the user did not login through the Imprivata agent, their domain password remains unknown (unenrolled), and as a result cannot be proxied for SSO.

    • The Imprivata agent learns the credentials, and subsequent login attempts to the application result in proxied credentials.

Configuring Window Hello for Business Authentication

Configuring Windows Hello for Business authentication requires that you:

Known Issue — SSO becomes Inactive after Login

This behavior occurs if the computer policy was previously configured for transparent screen lock. The behavior only occurs once, per Windows endpoint:

Symptom:

The workstation reaches the inactivity threshold and becomes locked.

When the user unlocks the workstation with a Windows Hello-compatible biometric device or PIN, the Imprivata agent might fail to identify the user. As a result, the Imprivata agent is disabled and SSO is inactive.

Workaround:

The user must log off and log back in. Locking/unlocking the workstation does not re-enable SSO.