Forum Discussion
Windows Hello for Business HAADJ & AADJ
I have a customer who wants to implement Windows Hello for Business. The devices are Co-managed and are HAADJ. The infrastructure is meeting all the pre-reqs for a KEY trust method so I am planning t...
Hi rahuljindal-MVP ,
Yes, you can use Intune to configure WhfB for AAD joined (MDM enrolled) devices. And as far as I know, Yes again, I'm afraid you'll have to configure on-prem too. (CRL etc.) Check out the prerequisites in this doc. If you continue to read to the end of that doc, you'll also see how to configure WhfB.
However, you mention that the client wants to start with a POC. My advice, would be NOT to configure WhfB from the Windows Enrollment>Windows Hello for Business blade. This is a tenant wide configuration and applies to all users and all devices.
Instead, configure WhfB from the Endpoint Security>Account Protection blade. This will give you a more granular control where you can apply WhfB to only the POC group.
Hope this helps
Thanks for the response. I should have mentioned that I had already gone through the official documents before posting over here. Windows hello for business works out of the box for AAD devices. It doesn't need to authenticate with AD. However, what I am trying to establish is whether this can work along side hybrid setup for Windows hello for business to support HAADJ devices or not. If not and if AADJ devices do need to authenticate with AD for Windows Hello then will setting up CRL an absolute requirement?
I would use the new Hybrid Trust model before dive in to CRL, it should be complete replacement for that complex infrastructure. Cloud trust uses Azure AD Kerberos that doesn't require any PKI to get the user a TGT.
Fyi, I use it for authenticating Azure AD devices against traditional file share using WHFB, it’s magic, no certificate server. It should cover Hybrid Devices with WHFB as well.
Moe
- Thanks Moe. I will love to use it, but since it is in still in preview and considering the limitations, unfortunately I can't implement this just yet.
Hi rahuljindal-MVP, I haven't had to deal with the exact same scenario you describe before so can't give you a definitive answer. However, in this case, personally I would configure WhfB from the Endpoint Security>Account Protection blade and target a test group. This way you can test and see if this kind of configuration meets your requirements fairly easy, and it won't affect production users.
Hope this helps (or that someone else can help you out with a better answer)
regards
Oktay
- Thanks. I intend to use the same. Cheers.
