Hello everyone, my name is Zoheb Shaikh and I’m a Solution Engineer working with the Microsoft Mission Critical team (SfMC). Today I’ll share an interesting discussion about Windows Hello and the need for VPN/Connectivity with Domain Controllers.
Recently I was interacting with an SfMC customer and was told that many users fail to register to Windows Hello for Business (WHFB) unless they connect to VPN or the Office network. The critical question that came my way was how to get your users to register with the least possible hassle, and if we can help here.
I said of course I can help, after all I am your trusted Advisor 
Before I start sharing any more details, I would like to give you some background on their implementation and about Windows Hello for Business.
What is Windows Hello for Business: " In Windows 10/11, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses biometric or PIN.”
For more details, please read the Documentation here
Coming back to our customer scenario: They were running a hybrid environment with domain controllers on 2019, Azure AD Connect using Password Hash Sync and Co-Managed devices.
They recently had implemented a WHFB hybrid deployment model with Key trust for their mixed environment, with around 40% of users working from home.
WHFB was enabled through Intune, and a pilot was conducted for around 50 users.
Here the feedback on the results:
- Users in Office (Connected to LAN)
- Users were prompted for enrolment and worked without any issues.
- Once at home, PIN/Biometrics worked fine.
- Users working from Home
- Some users had a smooth experience, however others had a little bumpy ride.
- Some had issues setting their PIN,
- Few set their PIN successfully but at next Logon it failed using PIN/Biometrics
- The workaround was to connect to VPN, login with PIN after which it continued working even without a VPN connection
Based on what they explained to me it seemed the issue is with users who are working from home when connecting through VPN or not connecting to VPN.
Customer Expectations: Windows Hello for Business Enrolment should work seamlessly even if user is working is working from Home.
Being a part of Mission Critical team, we always strive to not only help customers advice on some of the Problem areas but more importantly to understand the situation and try to come up with a solution where possible.
In this scenario it was clear that WHFB works well for users connected to Office Network (Where Domain Controllers are in line of sight) but when users are at Home it does not work well for authentication.
Key aspect for Work from Home users we separated was that the users were successfully registering/Enrolling to WHFB but when attempting to Authenticate using WHFB many were failing.
Based on our research Specifically, this scenario only exists if you are using Hybrid Azure AD join (HAADJ). HAADJ may not be the best for Hybrid work (Thanks Jason Sandys for raising this).
The below diagram represents how Windows Hello works:
We concluded that a newly provisioned user will not be able to sign in using Windows Hello for Business until
- Azure AD (ENTRA ID) Connect successfully synchronizes the public key to the on-premises Active Directory
- Device has line of sight to the domain controller for the first time.
- This is a limitation in HAADJ and not with AADJ
Post answering these questions we had some recommendations for them also as below :
- As an organization you should plan on moving from HAADJ to AADJ. AADJ does not have this limitation. Refer for more details
- Evaluate Cloud Kerberos Trust Deployment instead of Key Trust
The customer now understood why it is needed but had a follow up question.
Well, I have few users who never connect to VPN and are not visiting office at all, what can we do about them.
My response to that was it could be achieved using Cloud Only trust model, see details here.
Another query which came after this was with our deployment architecture (WHFB hybrid deployment model with Key trust) will also need Domain Controller in Line of Sight every time ? No, This is only needed at 1st time Authentication and is not needed on an ongoing basis.
Hope this helps,
Zoheb