Windows Hello for Business: Azure AD Join vs. Hybrid JoinAlex Fields
Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound to the device itself.
When you do as you’re supposed to, and join PC’s to Azure AD rather than a local / legacy Active Directory, Windows Hello for Business is setup for you auto-magically. No special infrastructure or certificates, no federated services or other junk. It just works.
This is on by default for Microsoft 365 subscriptions that include Intune. So when a computer is joined to Azure AD and enrolled for MDM, one of the first things that a new user will be prompted to do is setup their Hello PIN on their Windows 10 device.
If you go look in the Intune portal, you will find some settings for controlling Windows Hello for Business under Device enrollment > Windows enrollment > Windows Hello for Business.
That’s all fine and good… unless you aren’t doing as you’re supposed to. If you are one of those poor souls still joining their PC’s to a traditional Active Directory domain, then you’re going to run into a problem with these default Hello settings when you go to enroll your “hybrid-joined” devices for MDM.
While a “hybrid-joined” user will still get prompted to create a PIN, they will immediately discover that they cannot actually use it. They might see a message like:
Windows couldn’t sign you in.
Your credentials could not be verified.
The same thing will happen for facial recognition or fingerprint. Bummer.
The reason is because Windows Hello for Business is disabled by default on domain-joined computers. If you want to setup Windows Hello for Business in a hybrid environment, there is a whole bunch of technical stuff required before it’s ready to rock. And it’s not a breezy process, either.
There are actually two different methods for configuring Windows Hello for Business in a hybrid environment:
- Hybrid Azure AD Joined Certificate trust deployment (legacy)
- Hybrid Azure AD Joined Key trust deployment (preferred)
A certificate trust deployment requires you to have AD FS setup in your environment. So this is not a popular option as many orgs are trying to get away from Active Directory Federated Services and all the complexity that comes with it.
The key trust deployment can be completed with or without federation and will therefore be preferred in most circumstances. Either way, you will need to have Azure AD Connect installed and configured, as well as an Enterprise PKI (meaning a Certificate Authority installed on your domain with certs being issued to your domain controller). As well you need at least one 2016 Domain Controller in each site. If it is a very large organization then you need to plan for an “adequate number” of 2016 domain controllers.
As setting all of this up is not a trivial task, I think it is worth asking yourself: is this worth the effort? Especially if you are trying to get rid of the legacy domain, and this hybrid stuff is just an intermediate step that should be temporary. Consider that question first, then proceed. Here are your three options, as I see them:
Option 1: Hybrid Azure AD Join (Key Trust deployment)
If you decide to move forward with a full hybrid deployment, then you must meet the pre-requisites and subsequently follow along with the installation process described by Microsoft. There are several linked articles in this series: just step through them to the end.
Option 2: Skip ahead to Azure AD Join (not hybrid join)
For a lot of smaller sized organizations especially, this will actually make the most sense. Traditional Active Directory, after all, is like 20 years old. Why hang on to the past? If you just start joining your PC’s to Azure AD straight out of the box, you’re going to fall in love, and be that much closer to nixing your old domain for good. It’s easy, it doesn’t require any local hardware or server, and you can manage it from anywhere.
If you have Azure AD Connect in place, as most hybrid organizations do, then Azure AD Joined machines can still seamlessly access on-premises resources. Sure, group policies from the local DC will not deploy to your workstation, but you can configure policies from Intune instead.
The biggest downside is that if you have local resources like printers then you need to install those locally per PC. But in my mind that’s a small trade off for all the other cloud benefits, and you can find other options out there for printer deployment / management anyway.
Option 3: Disable Windows Hello for Business in Intune
You can also just ask Intune to leave the Windows Hello pandora well enough alone. Device enrollment > Windows enrollment > Windows Hello for Business.
When you’re over your case of hybrid-join madness, you will wake up out of your stupor and it will hit you: You should just go straight Azure AD Join, as you should have in the first place! Then you can come back in here and re-enable this. But until then, just let the domain password continue to be the login method. Also be sure there are no Hello settings being deployed by other configuration profiles or Security baselines:
Option 4: Don’t be fooled by option 4
Some bloggers out there have pointed toward the “fix” of enabling a convenience PIN. But don’t fall for it. This is a GPO that is found at Computer Configuration\Administrative Templates\System\Logon and it can go by two different names (but they are the same, one is just a newer version of the ADMX to emphasize that it is for convenience, not security):
- Turn on PIN sign-in
- Turn on convenience PIN sign-in (updated wording)
This setting is not really enabling your “Hello” PIN, but rather a local PIN, which actually caches your domain password on the computer inside a convenient little wrapper (no bueno). Convenience PINs and Hello PINs are actually mutually exclusive of one another–you will have issues if you try to enable both. But switching to the convenience PIN couldn’t be further from the spirit of Windows Hello for Business–it’s actually a big downgrade for your security, so don’t do it.