Looking for you! Deploying Windows Hello For Business in a Hybrid AD Joined environment
Page content
Face recognition on Apple iPhones has long been a trusted and secure way to sign-in to business apps on corporate phones. With the right camera hardware, it’s been available in Windows too for quite a while. This post describes deploying Windows Hello for Business (WHfB) in a Hybrid AD Joined environment.
The aim:
- Sign into hybrid AD joined Windows PC using Windows Hello for Business face recognition
- Seamless SSO authenticate to AD joined resources using NTLM and kerberos (such as file and print services, SQL databases, IIS websites etc..)
- Seamless SSO authenticate to cloud applications (such as Office 365)
The process:
- Ensure you have WHfB compatible camera hardware. These devices have an infrared imaging component.
- Ensure Windows machines are current OS Win10 22H2 or Win11. Chop chop! Get those feature releases rolling out promptly!
- Configure Windows Hello for Business cloud kerberos trust for seamless SSO to AD joined resources.
- Configure Windows PCs via group policy or Intune:
- Enable and manage WHfB with Group Policy.
Tip: you can disable auto-enrolment to prevent users from being prompted to setup WHfB. Tip: you may need to update the Group Policy templates in central store to see the cloud kerberos trust settings - This GPO setting is also required: Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in
- Enable and manage WHfB with Group Policy.
The limitations:
- Current Windows OS versions only. Win10 22H2 or Win11.
- RunAs, Privileged accounts (AD domain admins), RDP/VDI/W365 See Hello for Business cloud kerberos trust limitations
Hardware
Once you’ve tried WHfB for logins you won’t want to go back to passwords. Purchasing laptops or monitor hardware with built-in support for Windows Hello for Business delivers a great experience.
- I’m having success with the Logitech Brio Stream which works great with WHfB but required a firmware upgrade first.
- If you have the space, checkout this Ultrawide WHfB compatible monitor