(2) Also, the following has been provisioned previously as part of device registration (when the device become joined to Azure AD): Let’s call it Kuser (Kuser-pri or Kuser-pub depending on the context).
(1) Before the user provisions the gesture, the following has been generated in the device: I won’t get into the details of the experience but will rather go in detail on what keys are generated, how they are used and what state is stored in the directory. Windows 10 devices that are joined (hybrid Azure AD joined, or Azure AD joined) will provision this credential upon user first logon, when the user is provisioning the Windows Hello for Business gesture (PIN, fingerprint, facial recognition) (there are more details about when this happens in this post). I’ll use this short post to explain how the credential is provisioned and how is it used upon authentication in Windows.
I am very excited as more organizations are looking into deploying Windows Hello for Business and some even trying to go password-less. Something that has come up recently in my conversations with you has been how Windows Hello for Business works behind the scenes.
