About the specification of PRT token used in Windows Hello for Business

shotaemon 0 Reputation points
2024-11-12T01:33:51.34+00:00

Subject: Inquiry about PRT token specifications in Windows Hello for Business

I would like to ask about the specifications of the PRT token used in Windows Hello for Business.

■ Environment

We are currently considering introducing Windows Hello for Business into our current environment. We are considering a configuration with Hybrid Join and an authentication method using cloud Kerberos trust.

■ Premise

According to the public information listed below, we understand that a token called a PRT token is used in Windows Hello for Business, and that the validity period of the PRT token is 14 days.

■ Question

We understand that the PRT token is automatically updated if it is connected to the Internet every day. However, if the device is not used for a while, such as when an employee is on leave or using a shared PC, is it correct that the token will not be updated as per the specifications?

Also, if our understanding above is correct, to update the PRT token, do we need to sign in to Windows with a password and connect to the internet, instead of using PIN or biometric authentication?

Thank you for your time and consideration.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,824 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 13,665 Reputation points Microsoft Vendor
    2024-11-12T07:10:32.48+00:00

    Hello,

    The Primary Refresh Token (PRT) is a JSON Web Token (JWT) used by Windows 10 and later devices for single sign-on (SSO) to Microsoft Entra ID resources and applications. The PRT is created when a user signs in on their device and is then used to request access tokens for various resources.

    The default validity period of a PRT token is 14 days. After this period, the PRT needs to be refreshed to maintain continuous access to resources.

    The PRT is designed to be updated regularly as long as the device is connected to the internet. This typically happens every 4 hours through a background network authentication process.

    If a device is not used for an extended period (e.g., an employee is on leave or the device is a shared PC that isn't used regularly), the PRT token will not be updated. When the user returns, they might find the PRT has expired if the device has been offline for more than 14 days.

    Steps to Renew PRT Manually

    1. Connect to the Internet: Ensure the device is connected to the internet.
    2. Sign In with Password: To manually trigger the renewal of the PRT, the user needs to sign in to Windows using their password, not the Windows Hello for Business method (PIN or biometrics).
    3. Lock and Unlock the Device: Lock the device (Windows + L) and then unlock it to force a network authentication that attempts to renew the PRT.
    4. Check PRT Status:

    • Open Command Prompt as an administrator.

    • Run the command:

    dsregcmd /status

    • Look for the AzureAdPrt section. The AzureAdPrtUpdateTime field should indicate the last time the PRT was updated.

    Impact on Authentication

    With cloud Kerberos trust, the PRT is crucial for SSO. If the PRT is expired or invalid, the user may be prompted for additional authentication.

    Important Considerations

    • Network Connectivity: Ensure reliable internet access during the manual renewal process.

    • Device Policies: Ensure there are no group policies or configurations that prevent background PRT renewal.

    Best regards

    Yanhong

    =====================================

    If the answer is helpful, please click "Accept answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.