Windows hello for business for Hybrid Entra Join

Brass Contributor


-No UPN matching between onprem AD and Azure, Third party federation and User provisioning .

-Hybrid Entra Joined devices

-Enrolled to Intune using device credentials as SCCM is setup with co management (Cloud Attach).


Whether setting up Windows hello for business (Which was working before enrollment) using GPO / or Intune. An error is returned.


"this sign in option is only available when connected to your organization's network"

"Fingerprint and Face"

"The option is currently unavailable"

Multiple methods to setup WFH was attempted and none worked so far.

-Devices -> Win 10 -> Enrollment -> "Configure Windows hello for business"

-Using Custom settings as described here(CSP or GPO):

-Biometrics devices updated/ Windows updates installed/ All devices and users affected in the organization.

-What could be the issue? Any best effort to get the windows hello for business working again?

2 Replies
Hi, i’ve written a guide on this maybe this can help you out. Check it out here:
Thanks for your reply, The pre-requisites for Kerberos is kinda what the problem is here which is why I posted this topic.

A DC (server 2016 or 2019 with the latest updates) -> Available (Any DC? We have multiple DCs for different domains due to mergers, etc...)
MFA --------> What kind of MFA? As third party is also providing MFA currently as identity is third party federated.
AzureAD AD Kerberos powershell module-> Available
AD Connect configured (I have User Sync, Password Hash Sync, Password Writeback enabled in my Demo lab) -----------------> Not available, Ad connect is setup to sync computers only, reason being users are third party federated and provisioned(domain is changed to cloud domain upon provisioning by third party ) i.e. no upn match between onpremise AD and Cloud.
A client PC (Windows 10 or Windows 11 with the latest updates) -> Available
An intune license ->Available
A device or VM with a TPM 2.0 chip -> Available