to workstation hybrid azure ad joined using WHfB

hiennv10 1 Reputation point

Hello everyone,

Currently, our organization deploy Windows Hello for Business using Key Trust Model. When end-user brings workstation (already provisioning WHfB using PIN) go out office (doesn't connect to Domain Controller), but that end-user can not sign-in to workstation using PIN, even password. When they brings workstation connect to office network (connected to Domain controller), they can sign-in workstation using both PIN (WHfB) and password.
When end-user need sign-in to workstation using WHfB, does user's workstation need connected to Domain Controller for sign-in? In-case require workstation connect to Domain Controller, which is solution that using for users work outside office without connect to Domain controller?

Please help me answer my question,

Thank you.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,150 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,543 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,121 Reputation points Microsoft Employee

    Only the first logon requires a line of sight with a domain controller.

    So if the user already used the password or the PIN to signin on that very same machine, this should work when the user is disconnected from the network. This is made possible because of a feature of the operating system called Cached Credentials. However, if one disables this feature, you will experience the behavior you are describing.

    Can you check this registry path on one of these machines, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is that 0 or a very low value (<2)?

    More information is available here:

    0 comments No comments