Looking for you! Deploying Windows Hello For Business in a Hybrid AD Joined environment

Page content

Windows DVD

Face recognition on Apple iPhones has long been a trusted and secure way to sign-in to business apps on corporate phones. With the right camera hardware, it’s been available in Windows too for quite a while. This post describes deploying Windows Hello for Business (WHfB) in a Hybrid AD Joined environment.

The aim:

  • Sign into hybrid AD joined Windows PC using Windows Hello for Business face recognition
  • Seamless SSO authenticate to AD joined resources using NTLM and kerberos (such as file and print services, SQL databases, IIS websites etc..)
  • Seamless SSO authenticate to cloud applications (such as Office 365)

The process:

  • Ensure you have WHfB compatible camera hardware. These devices have an infrared imaging component.
  • Ensure Windows machines are current OS Win10 22H2 or Win11. Chop chop! Get those feature releases rolling out promptly!
  • Configure Windows Hello for Business cloud kerberos trust for seamless SSO to AD joined resources.
  • Configure Windows PCs via group policy or Intune:

The limitations:


Once you’ve tried WHfB for logins you won’t want to go back to passwords. Purchasing laptops or monitor hardware with built-in support for Windows Hello for Business delivers a great experience.