Windows Office Hours: March 2026 - Microsoft Tech Community

Event details

Get answers to your questions about adopting Windows 11 and managing Windows devices across your organization. Find out how to proactively implement and monitor Zero Trust practices. Get tips on keep...

Heather_Poulsen

Updated Dec 18, 2025

Windows-Office-Hours-March-19-2026.ics43 KB

Office Hours

RyanSteele-CoV

Steel Contributor

Mar 19, 2026

Hi all,

We are working to deploy Windows Hello for Business with the Cloud Kerberos trust model to our hybrid joined workstations. Unfortunately, we have discovered that if a user does not have line of sight to a domain controller when they attempt to sign in to their workstation for the first time with WHfB, they are blocked from signing in and receive a cryptic and misleading error message. Apparently this is "working as designed" per Windows Hello for Business Frequently Asked Questions (FAQ) | Microsoft Learn.

Practically speaking, how does one roll this out if they have mobile users and do not have an always-on VPN?

Jason_Sandys
Microsoft
Mar 19, 2026
Hi RyanSteele-CoV,

I don't think there's any direct or easy path around this. I know this isn't an answer that will make you happy, but hybrid join isn't meant for or best for hybrid work scenarios.

Question: are you using Autopilot to provision these hybrid join devices?
- RyanSteele-CoV
  Steel Contributor
  Mar 19, 2026
  Hi Jason_Sandys, and thanks for confirming my suspicions. I am happy to have something to show my boss 🙂
  And no, we did not use Autopilot to provision these devices.