Windows Hello For Business - Elevate to domain admin

Question

I have recently implemented Windows Hello for Business on a couple of test users.  I have deployed via a GPO and have a hybrid environment using Entra kerberos. I require two factors for authentication with the following options: pin, face, fingerprint and while on prem a trusted network takes the place as the second factor. I want to move to a pass wordless environment, and require WHFB to login, (policy Interactive login, Require Windows Hello for Business or smart card).  The question I have is, how do you run an administrative task if you cannot use passwords, to elevate to a domain admin when a task is required? With this policy enabled, I cannot use my domain admin user, do I have something reconfigured?  I dont want to allow a password to login , that defeats the purpose of the 2 factors.  But obviously I need to use a domain admin account on occasion.

Answer 1

Windows Hello for Business is a two-factor authentication method that replaces passwords with a strong credential that enables easy two-factor authentication. When the policy "Interactive login, Require Windows Hello for Business or smart card" is enabled, users are required to use Windows Hello for Business or a smart card to log in. However, if you need to run an administrative task that requires domain admin privileges, you can use the "Run as different user" option to run the task as a domain admin. This option allows you to enter the credentials of a domain admin account to run the task with the necessary privileges.

References:

• Windows Hello for Business Overview
• Plan a Windows Hello for Business Deployment - Using this guide