Forum Discussion

rahuljindal-MVP's avatar
rahuljindal-MVP
Bronze Contributor
Jun 16, 2022

Windows Hello for Business HAADJ & AADJ

I have a customer who wants to implement Windows Hello for Business. The devices are Co-managed and are HAADJ. The infrastructure is meeting all the pre-reqs for a KEY trust method so I am planning to use the same. However, instead of using the GPO to enable and configure Windows Hello on endpoints, I am thinking of using Intune to deliver the policies. But there is more. The customer wants a POC for Autopilot and the devices are expected to end up as AADJ. So my question is can I use the same Windows Hello Intune policies for AADJ devices considering that Windows Hello will work out of the box for AADJ devices? Also, will I need to use the On-prem configuration even for AADJ devices which will mean that I will need to configure CRL distribution point additionally to say the least?

  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor

    Hi rahuljindal-MVP ,

    Yes, you can use Intune to configure WhfB for AAD joined (MDM enrolled) devices. And as far as I know, Yes again, I'm afraid you'll have to configure on-prem too. (CRL etc.) Check out the prerequisites in this doc.  If you continue to read to the end of that doc, you'll also see how to configure WhfB.

     

    However, you mention that the client wants to start with a POC. My advice, would be NOT to configure WhfB from the Windows Enrollment>Windows Hello for Business blade. This is a tenant wide configuration and applies to all users and all devices.

     

    Instead, configure WhfB from the Endpoint Security>Account Protection blade. This will give you a more granular control where you can apply WhfB to only the POC group.

     

    Hope this helps

    • rahuljindal-MVP's avatar
      rahuljindal-MVP
      Bronze Contributor

      Thanks for the response. I should have mentioned that I had already gone through the official documents before posting over here. Windows hello for business works out of the box for AAD devices. It doesn't need to authenticate with AD. However, what I am trying to establish is whether this can work along side hybrid setup for Windows hello for business to support HAADJ devices or not. If not and if AADJ devices do need to authenticate with AD for Windows Hello then will setting up CRL an absolute requirement?

Resources