Windows Hello for Business allowing enrollment when domain/ADFS is unavailable?

Copper Contributor

Hello.   I have a lab setup in order to validate some assumptions about Windows Hello for Business (WHfB).  I have a laptop with WIndows 10 build 19044.  I have a domain built with Windows Server 2019 with a separate domain controller, ADFS server and CA.   ADFS is configured with Ping MFA.  I have configured the environment per the WHfB On-Prem certificate trust deployment documentation.   My laptop using Azure P2S to access the Windows servers (in Azure) and is domain joined only.  I have only the GPO for WHfB enabled.

What I was really trying to test was MFA during enrollment.  I enabled a PIN and fingerprint on my device SUCCESSFULLY, but without MFA. 

So I delete the PIN and tried a few more SUCCESSFUL enrollments, including when not connected to VPN and also even when the entire domain was shut down.   So, apparently I am not getting enrolled in WHfB, but rather with a convenience PIN (I suppose), but that should not be possible with my GPO settings... and frankly makes it impossible to test what I am trying to test.  

Since this is not supposed to happen, I am wondering if anyone has any insight into what in fact is happening?  Is WHfB somehow doing an offline enrollment?  How can I tell if I have a convenience PIN configured rather than Certificate authentication?  

GPO from GPResult

Windows Components/Windows Hello for Business
Policy Setting Winning GPO
Use certificate for on-premises authenticationEnabledEnable Windows Hello 3
Use Windows Hello for BusinessEnabledEnable Windows Hello 3
Do not start Windows Hello provisioning after sign-inDisabled

0 Replies