Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Windows Hello for Business HAADJ & AADJ

%3CLINGO-SUB%20id%3D%22lingo-sub-3517617%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3517617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20have%20a%20customer%20who%20wants%20to%20implement%20Windows%20Hello%20for%20Business.%20The%20devices%20are%20Co-managed%20and%20are%20HAADJ.%20The%20infrastructure%20is%20meeting%20all%20the%20pre-reqs%20for%20a%20KEY%20trust%20method%20so%20I%20am%20planning%20to%20use%20the%20same.%20However%2C%20instead%20of%20using%20the%20GPO%20to%20enable%20and%20configure%20Windows%20Hello%20on%20endpoints%2C%20I%20am%20thinking%20of%20using%20Intune%20to%20deliver%20the%20policies.%20But%20there%20is%20more.%20The%20customer%20wants%20a%20POC%20for%20Autopilot%20and%20the%20devices%20are%20expected%20to%20end%20up%20as%20AADJ.%20So%20my%20question%20is%20can%20I%20use%20the%20same%20Windows%20Hello%20Intune%20policies%20for%20AADJ%20devices%20considering%20that%20Windows%20Hello%20will%20work%20out%20of%20the%20box%20for%20AADJ%20devices%3F%20Also%2C%20will%20I%20need%20to%20use%20the%20On-prem%20configuration%20even%20for%20AADJ%20devices%20which%20will%20mean%20that%20I%20will%20need%20to%20configure%20CRL%20distribution%20point%20additionally%20to%20say%20the%20least%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3517617%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3518368%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3518368%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447390%22%20target%3D%22_blank%22%3E%40rahuljindal-MVP%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EYes%2C%20you%20can%20use%20Intune%20to%20configure%20WhfB%20for%20AAD%20joined%20(MDM%20enrolled)%20devices.%20And%20as%20far%20as%20I%20know%2C%20Yes%20again%2C%20I'm%20afraid%20you'll%20have%20to%20configure%20on-prem%20too.%20(CRL%20etc.)%20Check%20out%20the%20prerequisites%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-aadj-sso-base%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20doc%3C%2FA%3E.%26nbsp%3B%20If%20you%20continue%20to%20read%20to%20the%20end%20of%20that%20doc%2C%20you'll%20also%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-aadj-sso-base%23configure-windows-hello-for-business-device-enrollment%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehow%20to%20configure%20WhfB%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20you%20mention%20that%20the%20client%20wants%20to%20start%20with%20a%20POC.%20My%20advice%2C%20would%20be%20%3CSTRONG%3ENOT%3C%2FSTRONG%3E%20to%20configure%20WhfB%20from%20the%20%3CSTRONG%3EWindows%20Enrollment%26gt%3BWindows%20Hello%20for%20Business%3C%2FSTRONG%3E%20blade.%20This%20is%20a%20tenant%20wide%20configuration%20and%20applies%20to%20all%20users%20and%20all%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstead%2C%20configure%20WhfB%20from%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_Workflows%2FSecurityManagementMenu%2Faccountprotection%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EEndpoint%20Security%26gt%3BAccount%20Protection%3C%2FSTRONG%3E%26nbsp%3B%3C%2FA%3Eblade.%20This%20will%20give%20you%20a%20more%20granular%20control%20where%20you%20can%20apply%20WhfB%20to%20only%20the%20POC%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3518484%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3518484%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20response.%20I%20should%20have%20mentioned%20that%20I%20had%20already%20gone%20through%20the%20official%20documents%20before%20posting%20over%20here.%20Windows%20hello%20for%20business%20works%20out%20of%20the%20box%20for%20AAD%20devices.%20It%20doesn't%20need%20to%20authenticate%20with%20AD.%20However%2C%20what%20I%20am%20trying%20to%20establish%20is%20whether%20this%20can%20work%20along%20side%20hybrid%20setup%20for%20Windows%20hello%20for%20business%20to%20support%20HAADJ%20devices%20or%20not.%20If%20not%20and%20if%20AADJ%20devices%20do%20need%20to%20authenticate%20with%20AD%20for%20Windows%20Hello%20then%20will%20setting%20up%20CRL%20an%20absolute%20requirement%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3519359%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3519359%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447390%22%20target%3D%22_blank%22%3E%40rahuljindal-MVP%3C%2FA%3E%2C%20I%20haven't%20had%20to%20deal%20with%20the%20exact%20same%20scenario%20you%20describe%20before%20so%20can't%20give%20you%20a%20definitive%20answer.%20However%2C%20in%20this%20case%2C%20personally%20I%20would%20%3CSPAN%3Econfigure%20WhfB%20from%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fendpoint.microsoft.com%2F%23blade%2FMicrosoft_Intune_Workflows%2FSecurityManagementMenu%2Faccountprotection%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EEndpoint%20Security%26gt%3BAccount%20Protection%3C%2FSTRONG%3E%26nbsp%3B%3C%2FA%3E%3CSPAN%3Eblade%20and%20%3CSTRONG%3Etarget%20a%20test%20group%3C%2FSTRONG%3E.%20This%20way%20you%20can%20test%20and%20see%20if%20this%20kind%20of%20configuration%20meets%20your%20requirements%20fairly%20easy%2C%20and%20it%20won't%20affect%20production%20users.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20this%20helps%20(or%20that%20someone%20else%20can%20help%20you%20out%20with%20a%20better%20answer)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eregards%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOktay%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3519377%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3519377%22%20slang%3D%22en-US%22%3EThanks.%20I%20intend%20to%20use%20the%20same.%20Cheers.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3524412%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3524412%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447390%22%20target%3D%22_blank%22%3E%40rahuljindal-MVP%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20use%20the%20new%20Hybrid%20Trust%20model%20before%20dive%20in%20to%20CRL%2C%20it%20should%20be%20complete%20replacement%20for%20that%20complex%20infrastructure.%26nbsp%3B%3CSPAN%3ECloud%20trust%20uses%20Azure%20AD%20Kerberos%20that%20doesn't%20require%20any%20PKI%20to%20get%20the%20user%20a%20TGT.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EFyi%2C%20I%20use%20it%20for%20authenticating%20Azure%20AD%20devices%20against%20traditional%20file%20share%20using%20WHFB%2C%20it%E2%80%99s%20magic%2C%20no%20certificate%20server.%20It%20should%20cover%20Hybrid%20Devices%20with%20WHFB%20as%20well.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMoe%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-cloud-trust%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-cloud-trust%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3524529%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20Business%20HAADJ%20%26amp%3B%20AADJ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3524529%22%20slang%3D%22en-US%22%3EThanks%20Moe.%20I%20will%20love%20to%20use%20it%2C%20but%20since%20it%20is%20in%20still%20in%20preview%20and%20considering%20the%20limitations%2C%20unfortunately%20I%20can't%20implement%20this%20just%20yet.%3C%2FLINGO-BODY%3E
Contributor

I have a customer who wants to implement Windows Hello for Business. The devices are Co-managed and are HAADJ. The infrastructure is meeting all the pre-reqs for a KEY trust method so I am planning to use the same. However, instead of using the GPO to enable and configure Windows Hello on endpoints, I am thinking of using Intune to deliver the policies. But there is more. The customer wants a POC for Autopilot and the devices are expected to end up as AADJ. So my question is can I use the same Windows Hello Intune policies for AADJ devices considering that Windows Hello will work out of the box for AADJ devices? Also, will I need to use the On-prem configuration even for AADJ devices which will mean that I will need to configure CRL distribution point additionally to say the least?

6 Replies

Hi @rahuljindal-MVP ,

Yes, you can use Intune to configure WhfB for AAD joined (MDM enrolled) devices. And as far as I know, Yes again, I'm afraid you'll have to configure on-prem too. (CRL etc.) Check out the prerequisites in this doc.  If you continue to read to the end of that doc, you'll also see how to configure WhfB.

 

However, you mention that the client wants to start with a POC. My advice, would be NOT to configure WhfB from the Windows Enrollment>Windows Hello for Business blade. This is a tenant wide configuration and applies to all users and all devices.

 

Instead, configure WhfB from the Endpoint Security>Account Protection blade. This will give you a more granular control where you can apply WhfB to only the POC group.

 

Hope this helps

Thanks for the response. I should have mentioned that I had already gone through the official documents before posting over here. Windows hello for business works out of the box for AAD devices. It doesn't need to authenticate with AD. However, what I am trying to establish is whether this can work along side hybrid setup for Windows hello for business to support HAADJ devices or not. If not and if AADJ devices do need to authenticate with AD for Windows Hello then will setting up CRL an absolute requirement?

Hi @rahuljindal-MVP, I haven't had to deal with the exact same scenario you describe before so can't give you a definitive answer. However, in this case, personally I would configure WhfB from the Endpoint Security>Account Protection blade and target a test group. This way you can test and see if this kind of configuration meets your requirements fairly easy, and it won't affect production users.

 

Hope this helps (or that someone else can help you out with a better answer)

regards

Oktay

Thanks. I intend to use the same. Cheers.

@rahuljindal-MVP 

 

I would use the new Hybrid Trust model before dive in to CRL, it should be complete replacement for that complex infrastructure. Cloud trust uses Azure AD Kerberos that doesn't require any PKI to get the user a TGT. 

Fyi, I use it for authenticating Azure AD devices against traditional file share using WHFB, it’s magic, no certificate server. It should cover Hybrid Devices with WHFB as well.

 

Moe

 

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...

Thanks Moe. I will love to use it, but since it is in still in preview and considering the limitations, unfortunately I can't implement this just yet.