Windows Hello for Business: Hybrid Certificate Trust + Modern Management - NDES RA

%3CLINGO-SUB%20id%3D%22lingo-sub-1036897%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%3A%20Hybrid%20Certificate%20Trust%20%2B%20Modern%20Management%20-%20NDES%20RA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1036897%22%20slang%3D%22en-US%22%3E%3CP%3EContoso%20wants%20to%20implement%20Windows%20Hello%20for%20Business.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWalking%20through%20the%20%22Planning%20a%20Windows%20Hello%20for%20Business%20Deployment%22%20process%20with%20Contoso%20resulted%20in%20the%20following%20deployment%20parameters%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E1.%20Hybrid%20-%20customer%20has%20AD%20and%20Azure%20AD%20(federated%20environment%20with%20ADFS)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Certificate%20Trust%20-%20customer%20already%20has%20ADCS%20PKI%20and%20wants%20to%20reuse%20WHFB%20certificates%20for%20other%20purposes%20(e.g.%2C%20AlwaysOn%20VPN.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20All%20PCs%20are%20Hybrid%20Azure%20AD%20Joined%20(no%20non-domain-joined%20PCs%3B%20no%20Azure%20AD%20Joined%20PCs.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20Contoso%20wants%20to%20use%20Modern%20Management%20(Intune)%20policy%20to%20manage%20the%20WHFB%20PCs%20-%20not%20Group%20Policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20that%20Contoso%20is%20a%20federated%20environment%2C%20so%20they%20could%20use%20group%20policy%20and%20an%20ADFS%20RA.%20But%20they%20don't%20want%20to%20(creates%20another%20dependency%20on%20ADFS%2C%20which%20is%20undesirable.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAbove%20requirements%20yield%20a%20need%20for%20an%20NDES%20Registration%20Authority.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Windows%20Hello%20for%20Business%20Hybrid%20Certificate%20Trust%20Deployment%20Guide%20does%20not%20document%20this%20scenario%20with%20modern%20management%20and%20an%20NDES%20RA.%20It%20only%20describes%20deployment%20with%20Group%20Policy%20management%20and%20an%20AD%20FS%20RA.%20(link%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-cert-trust%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-cert-trust%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20supported%20to%20deploy%20Windows%20Hello%20for%20Business%20Hybrid%20Certificate%20Trust%20using%20only%20modern%20management%20and%20an%20NDES%20RA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Note%3A%20I%20can%20supply%20the%20WHFB%20planning%20worksheet%20for%20Contoso.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1036897%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Hello%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Contoso wants to implement Windows Hello for Business.

 

Walking through the "Planning a Windows Hello for Business Deployment" process with Contoso resulted in the following deployment parameters:


1. Hybrid - customer has AD and Azure AD (federated environment with ADFS)

 

2. Certificate Trust - customer already has ADCS PKI and wants to reuse WHFB certificates for other purposes (e.g., AlwaysOn VPN.)

 

3. All PCs are Hybrid Azure AD Joined (no non-domain-joined PCs; no Azure AD Joined PCs.)

 

4. Contoso wants to use Modern Management (Intune) policy to manage the WHFB PCs - not Group Policy.

 

Note that Contoso is a federated environment, so they could use group policy and an ADFS RA. But they don't want to (creates another dependency on ADFS, which is undesirable.)

 

Above requirements yield a need for an NDES Registration Authority.

 

The Windows Hello for Business Hybrid Certificate Trust Deployment Guide does not document this scenario with modern management and an NDES RA. It only describes deployment with Group Policy management and an AD FS RA. (link: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...)

 

Is it supported to deploy Windows Hello for Business Hybrid Certificate Trust using only modern management and an NDES RA?

 

(Note: I can supply the WHFB planning worksheet for Contoso.)

0 Replies