Forum Discussion
Windows Hello for Business allowing enrollment when domain/ADFS is unavailable?
Hello. I have a lab setup in order to validate some assumptions about Windows Hello for Business (WHfB). I have a laptop with WIndows 10 build 19044. I have a domain built with Windows Server 2019 with a separate domain controller, ADFS server and CA. ADFS is configured with Ping MFA. I have configured the environment per the WHfB On-Prem certificate trust deployment documentation. My laptop using Azure P2S to access the Windows servers (in Azure) and is domain joined only. I have only the GPO for WHfB enabled.
What I was really trying to test was MFA during enrollment. I enabled a PIN and fingerprint on my device SUCCESSFULLY, but without MFA.
So I delete the PIN and tried a few more SUCCESSFUL enrollments, including when not connected to VPN and also even when the entire domain was shut down. So, apparently I am not getting enrolled in WHfB, but rather with a convenience PIN (I suppose), but that should not be possible with my GPO settings... and frankly makes it impossible to test what I am trying to test.
Since this is not supposed to happen, I am wondering if anyone has any insight into what in fact is happening? Is WHfB somehow doing an offline enrollment? How can I tell if I have a convenience PIN configured rather than Certificate authentication?
GPO from GPResult
Use certificate for on-premises authentication | Enabled | Enable Windows Hello 3 |
Use Windows Hello for Business | Enabled | Enable Windows Hello 3 |
|