Windows Hello for Business - Hybrid Azure Joined Devices - Off LAN enrolment behaviour

Question

Environment Windows 10 Professional devices, Hybrid Azure AD Joined (physical) Server 2019 DCs AD Connect 1.5.45 Key Trust setup Endpoint Manager used to deploy WHfB CRL distribution point published to internal and external web servers Verified CA and CA+.crl files are accessible from LAN and non LAN connected Windows 10 endpoints

Details When the WHfB wizard runs for the first time and the user is off the LAN, the PIN setup completes without issue.

However once the user signs out or locks the screen the PIN code does not work

"Your credentials could not be verified" is displayed. This is also taking into account the 30 min sync back to AD Connect.

However, once the user reverts to using their password to sign in and then activates the VPN AND then locks the workstation whilst still connected, the PIN code will work for the unlock.

Subsequent use of the PIN will also work when the VPN is not connected, including PIN change and reset.

LAN based devices have no issue at all and WHfB works as expected.

Can any advise what is the correct workflow when enrolling off LAN?

Answer 1

What you're seeing is expected and by design:

In the above deployment model (Hybrid Azure AD join authentication using a Key), a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication#hybrid-azure-ad-join-authentication-using-a-key