Share via

Setting up Windows Hello for Business for On Premise AD

Anonymous
2025-02-11T17:09:11+00:00

Trying to deploy Windows Hello for Business in the environment while trying to maintain everything on premise. GPO has been set but I couldn't get the provision part to work. After reading guides I was able to get it working utilizing ADFS. However, it fails when trying to setup the PIN. It appears that it's trying to communicate with Azure AD to authenticate. The environment does not have any ties to Azure at this time. Am I missing anything or has anyone done something similar?

Windows Hello for Business on-premises certificate trust deployment guide | Microsoft Learn

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-02-12T08:12:26+00:00

    Hello

    It sounds like you're trying to deploy Windows Hello for Business in a completely on-premises Active Directory (AD) environment, and you're encountering issues with the PIN provisioning step. Since your environment is not currently tied to Azure AD, the behavior you're seeing where it's trying to authenticate with Azure AD is definitely something to look into. Let’s break this down:

    Key Issues:

    ADFS (Active Directory Federation Services): If you've successfully set up ADFS for Windows Hello for Business (WHfB), that’s good because ADFS can act as the authentication broker for WHfB in an on-premises AD environment. But ADFS should be properly configured to issue certificates for WHfB and ensure that the correct communication happens between client devices, ADFS, and the domain controllers.

    PIN Setup Issue: When a user tries to set up their PIN, it typically needs to authenticate with an infrastructure that verifies their identity via authentication methods (usually certificates). If WHfB is looking to Azure AD during this process, it usually means that some part of the cloud integration might have inadvertently been enabled or there’s a misconfiguration causing the PIN setup to try connecting to Azure AD.

    Potential Causes and Solutions:

    AAD Sync or Hybrid Configurations: Even though your environment is on-premises, check whether there is any hybrid configuration enabled that could be tying the environment to Azure AD unintentionally. For instance, some older deployments might have the Azure AD Connect or some hybrid authentication enabled, which can cause these kinds of issues.

    Solution: If you’re not using Azure AD, make sure there is no hybrid configuration between your on-premises AD and Azure AD. Double-check that Azure AD Join is not configured and that Hybrid Azure AD Join isn't enabled on your AD domain controllers.

    Group Policy (GPO) Settings: Review your Group Policy settings again. Specifically, make sure you’re configuring Windows Hello for Business as on-premises certificate trust and not mistakenly pointing to cloud-based settings. It sounds like your GPOs might be pulling settings that expect Azure AD or hybrid cloud configurations.

    Solution: Make sure you have configured the Group Policy for on-premises scenarios and not for Azure AD scenarios. In particular, verify the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Use Windows Hello for Business (ensure this is set properly for on-premises).

    User Configuration > Administrative Templates > System > Logon > Turn on PIN sign-in should be enabled.

    Certification Authority (CA) Configuration: Windows Hello for Business in an on-premises certificate trust model relies on certificates issued by your internal CA. Make sure your CA is configured properly to issue the required certificates for WHfB.

    Solution: Ensure that the Certificate Templates on your CA are correctly configured and that the client devices can receive the appropriate certificates. The CA should be issuing the User and Device Certificates for WHfB, and ADFS should be able to validate those certificates during the provisioning process.

    Check the ADFS Logs: ADFS might be looking for something that’s misconfigured, so checking the ADFS logs might give you more insights into whether ADFS is trying to redirect to Azure AD and why. If you see errors regarding Azure AD, this might confirm that something in your configuration is linking the environment to Azure AD by mistake.

    Solution: You could trace the ADFS logs to look for any interaction with Azure endpoints and troubleshoot from there.

    Revisit the WHfB Deployment Guide: Review the Windows Hello for Business On-Premises Certificate Trust Deployment Guide again from Microsoft Learn to ensure you haven't missed a configuration step specific to the certificate trust model. There are several steps involving certificates, Active Directory settings, and ADFS that need to align properly to avoid the Azure AD redirection you're seeing.

    I hope the above information is helpful to you.

    Best regards

    Runjie Zhai

    1 person found this answer helpful.
    0 comments