Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, February 25, 2019 9:49 PM
Hi there,
I have created a lab for testing Windows Hello for Business.
I followed the official documentation to deploy a Hybrid Azure AD environment - https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust - but have run in to the issue of actually deploying it to users.
When my device is logged into the local Active Directory domain and I try to configure Windows Hello, it always says that "This sign-in option is only available when connected to your organization's network". The only way to get around it is to remove my device from the local domain and then connect it to the Azure AD directory by using [email protected], which then allows me to set up Windows Hello.
Shouldn't I be able to have my device stay logged into the local AD domain and still register for Windows Hello with Business since it's hybrid AD joined?
My devices are auto-enrolling and confirmed to be Hybrid Azure AD Joined in the Azure Portal, and the Windows Hello GPOs are confirmed to be applying via RSOP and GPRESULT.
Thanks.
All replies (2)
Tuesday, February 26, 2019 2:02 AM
Hi Bernie,
If you are activating Azure AD Domain Join or Azure AD Hybrid join for your clients. The setup requires your computer to be registered for Windows Hello for Business. You then log on to the device using PIN, and try to access a local resource, for instance by mapping a drive.
This fails every time with the following message:
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again.
The reason for this is that Windows Hello for Business has no trust between Active Directory and Azure AD. You need to establish trust by establishing a Hybrid Azure AD Joined trust.
This can be done in two ways, either Hybrid Azure AD Joined Key Trust Deployment or by Hybrid Azure AD Joined Certificate Trust Deployment.
Please refer to this link below for a step-by-step guide
Windows Hello on Azure AD Domain Joined devices - Access to local files
https://blog.nimtech.cloud/windows-hello-on-azure-ad-domain-joined-devices-access-to-local-files/
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, February 28, 2019 9:07 AM
We have not heard from you in a couple of days. Please post back at your convenience if we can assist further.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].