Azure AD Connect hybrid domain, single server with pass-through authentication. Provisioning setup steps?

Shaun Rieman 41 Reputation points
2021-10-11T20:59:15.193+00:00

I'm trying to determine what the next steps should be to configure a new domain server environment. I'm using Azure AD Connect, pass-through authentication with SSO enabled.

I created a GPO Hybrid Azure AD join
Computer Configuration/Administrative Templates/Windows Components/Device Registration
"Register domain joined computers as devices" - "Enabled".

Modified Default Domain Policy to include:
User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page
Site to Zone Assignment List
https://autologon.microsoftazuread-sso.com - 1
https://device.login.microsoftonline.com - 1

User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
"Allow updates to status bar via script" - "Enabled".

I configured Azure AD Connet with Hybrid Azure AD Join with Azure AD as the authentication service.

Yet without setting to Enable Windows Hello for Business, biometrics and pin remain unavailable.
User Configuration/Policies/Administrative Templates/Windows Components/Windows Hello for Business
"Use Windows Hello for Business" Enabled / "Do not start Windows Hello Provisioning after sign-in" Disabled

Why aren't users being prompted for pin/biometrics setup at login? I'm joining a workstation using the typical "Join this device to a local Active Directory domain".

Everything seems to be replicating properly but I don't see any provisioning actions. Group policy is functioning properly and distributing things like browser security policy settings, for example. I know the base stack environment is configured properly, I'm just missing the next steps. Should I be looking at Intune Connector for Active Directory? Should this be my next step?
https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

I sincerely appreciate any time you can offer. Thank you.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,819 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,991 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nick Hogarth 3,436 Reputation points
    2021-10-11T21:47:09.287+00:00

    Intune connector for AD is used for Autopilot with Hybrid Azure AD Join. It creates the computer objects in AD. It sounds like you aren't using Intune or Autopilot. It sounds like you want to set up the hybrid key trust. See https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.