Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Windows 10 Security: Microsoft Passport and Virtual Secure Mode

In this Ask the Admin, I’ll explain how Microsoft Passport will implement key-based authentication to make two-factor authentication easy without a Public Key Infrastructure (PKI), and where Virtual Secure Mode (VSM) fits in to protect against common attacks.

Previously dubbed Next Generation User Credentials, Microsoft Passport will debut in Windows 10, and in conjunction with a new security feature called Virtual Secure Mode, which protects credentials from Pass-the-Hash (PtH) attacks – a technique used by hackers to move laterally across networks by means of stolen credentials – aims to replace passwords by making two-factor authentication simpler to deploy.

Multifactor Authentication

Most of us are familiar with the concept of authenticating to a system using a combination of what we know and what we have, usually in the form of a smartcard, and PIN or password. But traditionally smartcards have been the preserve of large corporates, not least because of the extra hardware required, but also the need to maintain a PKI, which can be complex to say the least.

Microsoft Passport and Virtual Secure Mode
Microsoft Passport in Windows 10 (Image Credit: Microsoft)

Microsoft Passport

Microsoft Passport differs from currently available forms of two-factor authentication by utilizing a unique asymmetrical key pair that Windows 10 can generate itself, and store securely with the help of a hardware Trusted Platform Module (TPM). While there will be the option to use keys generated by a PKI, Passport’s key-based authentication option will significantly lower the barrier to adoption, and could prove to be more secure than PKI.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

A passport’s public key can be stored in Azure Active Directory (AAD), and as such is supported for users with a Microsoft account, or in Windows Server 2016 Active Directory. Active Directory in existing versions of Windows Server will be updated this summer to support Microsoft Passport, but it’s not clear yet which domain and forest functional levels will be required. If you opt to use PKI, instead of the key-based authentication option, Active Directory won’t need to be modified to support Microsoft Passport.

Passport relies on a TPM to provide a properly secured solution, which Microsoft hopes will be part of every Windows PC sold in 2015, but devices without a hardware TPM will still be able to use Passport, although it won’t be as secure. Nevertheless, it’s likely to be a better option than using a password alone.

Virtual Secure Mode

New in Windows 10, Virtual Secure Mode provides a secure execution environment where processes that were previously run in Windows, such as the Local Security Authority (LSA) and the code integrity service, are moved to Trustlets (processes) in an OS running in a separate hardware-based Hyper-V container, to which Windows has no access. There’s no GUI, and no network access to the container, and even if the Windows kernel is compromised, processes and data stored in the VSM container should remain safe.

Tokens and hashes (derived security credentials) are not released from the VSM, but are instead handed over to Windows in a new form that can’t be replayed on the PC. Additionally, NTLM hashes are decoupled from the logon secret, and randomized and managed to protect against brute force attack.

Windows Hello (Biometrics)

Microsoft Passport will allow you to use another device as a smartcard, such as a smartphone, which is an extension of the virtual smartcard feature already found in Windows 8. But Windows 10 will also include Windows Hello, a new feature which for the first time includes the middleware required to make fingerprint readers, iris scanners, and facial recognition hardware work without the need to install anything more than the driver for the device.

In the past, if for example you wanted to use a webcam for facial recognition, third-party software, usually provided by the hardware manufacturer, had to be installed to get the solution working. Not only did this require extra effort and management for enterprises, but also trust. Windows Hello bakes all the required software into the OS, and provides an integrated user experience for quick and natural logon without a password.

FIDO Alliance

Microsoft Passport has been designed using FIDO (Fast IDentity Online) Alliance standards to easily integrate with other platforms and services. It’s also worth noting, that users will be able to have more than one passport, which can be used to sign into different services.

At the time of writing, Microsoft Passport is not supported in the current build of Windows 10, but as soon as the system goes live, check back at the Petri IT Knowledgebase for a technical how-to, so you can evaluate the solution quickly.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Live on Tuesday, September 28th, at 9:30 AM ET!

GET-IT: EndPoint Management 1-Day Virtual Conference

The management of endpoints is complicated and the risks associated with having unsecured devices roaming outside the firewall are quickly becoming a targeted vector for malicious users. In this Petri one-day virtual conference, we will be diving deep into how you can improve the way you manage your endpoints and learn from industry experts and MVPs about best practices, available tools to streamline your operations, and what's coming soon with Windows 11.


Sponsored By

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: