0

I have a home AD server and a Windows Surface Laptop. I want to enable my family to open the laptop, and based on facial recognition, it will log them into their respective AD account. I'm seeing conflicting responses on setting this up. Do I only need to enable Windows Hello for Business in GPO, or do I need to go through this full Windows Hello for Business Deployment Guide to enable this?

I ask because I tried following that guide first, but encountered a known issue with Windows Server 2019. When I run this command...

Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication

...it fails as outlined here.

So in order to get this to work, I'm going to have to blow away my current AD setup and start over with Windows Server 2016. Before doing that, I wanted to make ABSOLUTELY CERTAIN that I need to follow that guide to get Windows Hello working with AD the way I want it to.

user3351429
  • 81
  • 8
  • "it fails" - _in which way_? Does it hang? Does the computer catch fire? Is there an error message? If so, what does the error message say? Be mindful that you're the only person who can see your screen :) – Mathias R. Jessen Nov 10 '20 at 16:55
  • I didn't go into it because I'm certain I can't get past that error. This post details it as a known issue that Microsoft won't help with and won't respond to. https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3225 – user3351429 Nov 10 '20 at 17:01
  • If you're convinced that you know the answer, what is the purpose of this question then? – Mathias R. Jessen Nov 10 '20 at 17:35
  • My question wasn't about the error. I've had people tell me that I ONLY need to enable Windows Hello via GPO, and that I don't need to go through the full "Certificate Trust Deployment" to get this to work. Do you know if that's correct? – user3351429 Nov 10 '20 at 18:36

0 Answers0