Windows Hello OnPremise is not working

Luis Eduardo Reyes Gaspar 46 Reputation points
2021-01-04T18:58:29.58+00:00

Hi to Everyone. Happy New Year!!!!

I would like to implement and configure Windows Hello for business using On Premise infrestructure only by Windows 10 clients.

According to the Microsoft documentation, there are 5 steps that I need to configure:

  1. Validate Active Directory prerequisites
  2. Validate and Configure Public Key Infrastructure
  3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services
    4. Validate and Deploy Multifactor Authentication Services (MFA)
  4. Configure Windows Hello for Business Policy settings

Following previous steps, I have configured and implemented some prerequisites, but I have a question:

For the MFA with AD FS, there are some tools that could be used it. I used Azure MFA but this feature needs licenses with MFA included, in this point I cannot continue because is not clear for me. The company works as the following infrastructure:

-Company has AD Connect configured to sync users to O365, and Office E1, E3 and E5 licenses are used
-Windows Server 2016 (Level Forest and Domain 2016)
-Schema is the latest

My dudes are:

I need to configure AD Connect with AD FS Service for Windows Hello?

I suppose to have to buy license with MFA feature included, if I use Azure MFA, right?

And the latest point "Configure Windows Hello for Business Policy settings", mention Enable the policy Use certificate for on-premises authentication on the Group Policy Management Editor from Active Directory, but it does not appear this option, Why? I imagine this option is a key to Windows Hello works

I hope you can could help me, I have a lot of days but I cannot on going!! :(

The documentation is not clear and I think everybody needs to look for another blogs to reolve their dudes!!

Best regards from Mexico

Luis Reyes

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,593 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,105 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
0 comments
Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-01-06T14:15:52.027+00:00

    Windows Hello for Business On-Premises is only for disconnected environements (no internet connecitvity) or for customers without an Azure AD presence. In your case, you have both. You should use an Hybrid deployment.
    Now, could you make it work anyways? Yes, but only for corner cases and your users cannot be synchronized in Azure AD, the machines cannot be used to in Conditional Access Policy (no Azure AD Hybrid Join), etc... and you fall into an unsupported scenario (if you had a support contract).

    Also, note that the Convenience PIN IS NOT Windows Hello for Buisness. You can't use both.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 11,626 Reputation points
    2021-01-04T22:28:09.007+00:00

    I have enabled Windows Hello in On-prem only by enabling GPO and that's it.

    0 comments
  2. Luis Eduardo Reyes Gaspar 46 Reputation points
    2021-01-05T04:07:51.99+00:00

    In my case is not working... What do I need to do to work?