Forum Discussion

rahuljindal's avatar
rahuljindal
Bronze Contributor
Jun 16, 2022

Windows Hello for Business HAADJ & AADJ

I have a customer who wants to implement Windows Hello for Business. The devices are Co-managed and are HAADJ. The infrastructure is meeting all the pre-reqs for a KEY trust method so I am planning t...
Intune
mobile device management (mdm)
rahuljindal's avatar
rahuljindal
Bronze Contributor
Jun 16, 2022

Thanks for the response. I should have mentioned that I had already gone through the official documents before posting over here. Windows hello for business works out of the box for AAD devices. It doesn't need to authenticate with AD. However, what I am trying to establish is whether this can work along side hybrid setup for Windows hello for business to support HAADJ devices or not. If not and if AADJ devices do need to authenticate with AD for Windows Hello then will setting up CRL an absolute requirement?

Moe_Kinani's avatar
Moe_Kinani
Bronze Contributor
Jun 18, 2022

rahuljindal 

 

I would use the new Hybrid Trust model before dive in to CRL, it should be complete replacement for that complex infrastructure. Cloud trust uses Azure AD Kerberos that doesn't require any PKI to get the user a TGT. 

Fyi, I use it for authenticating Azure AD devices against traditional file share using WHFB, it’s magic, no certificate server. It should cover Hybrid Devices with WHFB as well.

 

Moe

 

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust

  • rahuljindal's avatar
    rahuljindal
    Bronze Contributor
    Jun 18, 2022
    Thanks Moe. I will love to use it, but since it is in still in preview and considering the limitations, unfortunately I can't implement this just yet.