Either way, you will need to have Azure AD Connect installed and configured, as well as an Enterprise PKI (meaning a Certificate Authority installed on your domain with certs being issued to your domain controller). The key trust deployment can be completed with or without federation and will therefore be preferred in most circumstances. So this is not a popular option as many orgs are trying to get away from Active Directory Federated Services and all the complexity that comes with it. Hybrid Azure AD Joined Key trust deployment (preferred)Ī certificate trust deployment requires you to have AD FS setup in your environment.Hybrid Azure AD Joined Certificate trust deployment (legacy).There are actually two different methods for configuring Windows Hello for Business in a hybrid environment: If you want to setup Windows Hello for Business in a hybrid environment, there is a whole bunch of technical stuff required before it’s ready to rock. The reason is because Windows Hello for Business is disabled by default on domain-joined computers. The same thing will happen for facial recognition or fingerprint.
If you go look in the Intune portal, you will find some settings for controlling Windows Hello for Business under Device enrollment > Windows enrollment > Windows Hello for Business. So when a computer is joined to Azure AD and enrolled for MDM, one of the first things that a new user will be prompted to do is setup their Hello PIN on their Windows 10 device.
This is on by default for Microsoft 365 subscriptions that include Intune. No special infrastructure or certificates, no federated services or other junk. When you do as you’re supposed to, and join PC’s to Azure AD rather than a local / legacy Active Directory, Windows Hello for Business is setup for you auto-magically. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound to the device itself. Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication.
0 kommentar(er)
