Forum Discussion
Windows Hello for Business HAADJ & AADJ
Hi rahuljindal ,
Yes, you can use Intune to configure WhfB for AAD joined (MDM enrolled) devices. And as far as I know, Yes again, I'm afraid you'll have to configure on-prem too. (CRL etc.) Check out the prerequisites in https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base. If you continue to read to the end of that doc, you'll also see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base#configure-windows-hello-for-business-device-enrollment.
However, you mention that the client wants to start with a POC. My advice, would be NOT to configure WhfB from the Windows Enrollment>Windows Hello for Business blade. This is a tenant wide configuration and applies to all users and all devices.
Instead, configure WhfB from the https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/accountprotection blade. This will give you a more granular control where you can apply WhfB to only the POC group.
Hope this helps
Thanks for the response. I should have mentioned that I had already gone through the official documents before posting over here. Windows hello for business works out of the box for AAD devices. It doesn't need to authenticate with AD. However, what I am trying to establish is whether this can work along side hybrid setup for Windows hello for business to support HAADJ devices or not. If not and if AADJ devices do need to authenticate with AD for Windows Hello then will setting up CRL an absolute requirement?