Windows hello for business for Hybrid Entra Join
Environment: -No UPN matching between onprem AD and Azure, Third party federation and User provisioning . -Hybrid Entra Joined devices -Enrolled to Intune using device credentials as SCCM is setup with co management (Cloud Attach). Question: Whether setting up Windows hello for business (Which was working before enrollment) using GPO / or Intune. An error is returned. Pin: "this sign in option is only available when connected to your organization's network" "Fingerprint and Face" "The option is currently unavailable" Multiple methods to setup WFH was attempted and none worked so far. -Devices -> Win 10 -> Enrollment -> "Configure Windows hello for business" -Using Custom settings as described here(CSP or GPO): https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure -Biometrics devices updated/ Windows updates installed/ All devices and users affected in the organization. -What could be the issue? Any best effort to get the windows hello for business working again?
WHFB-Cloud Kerberos Trust Compatible for Server 2012 R2
Hi We have Hybrid AAD join environment and currently have DC : 2012 R2 along with ADC 2019. Currently we have Cloud Kerberos Model and need to configure WHFB via GPO. Does 2012 R2 compatible for that or do we need to upgrade that to Server 2016. Any suggestion or experience? Already go through below Microsoft Ref link, that mentioned that Server 2016 is minimum requirement. However 2012 R2 is production one so don't want to upgrade that. Does Window Hello for Business workable in that scenario https://learn.microsoft.com/en-gb/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune
Windows Hello for Business: Hybrid Certificate Trust + Modern Management - NDES RA
Contoso wants to implement Windows Hello for Business. Walking through the "Planning a Windows Hello for Business Deployment" process with Contoso resulted in the following deployment parameters: 1. Hybrid - customer has AD and Azure AD (federated environment with ADFS) 2. Certificate Trust - customer already has ADCS PKI and wants to reuse WHFB certificates for other purposes (e.g., AlwaysOn VPN.) 3. All PCs are Hybrid Azure AD Joined (no non-domain-joined PCs; no Azure AD Joined PCs.) 4. Contoso wants to use Modern Management (Intune) policy to manage the WHFB PCs - not Group Policy. Note that Contoso is a federated environment, so they could use group policy and an ADFS RA. But they don't want to (creates another dependency on ADFS, which is undesirable.) Above requirements yield a need for an NDES Registration Authority. The Windows Hello for Business Hybrid Certificate Trust Deployment Guide does not document this scenario with modern management and an NDES RA. It only describes deployment with Group Policy management and an AD FS RA. (link: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) Is it supported to deploy Windows Hello for Business Hybrid Certificate Trust using only modern management and an NDES RA? (Note: I can supply the WHFB planning worksheet for Contoso.)