Dudes, I love your videos. I love how it always goes wrong but you always manage to fix it. This is exactly how me and my co-worker work! keep on the great work guys
Thank you for your wonderful videos and the time and effort it takes to make them. It's a breath of fresh air to see a start to finish on this topic that includes some bloopers.
The day before yesterday I spent the whole day figuring out how to get the partner center stuff going so I can use autopilot with only s/n+model+manufacturer without opening the box to get the hardware hash. What a pain that was!
A lot of microsoft docs are great, but good lord the WHfB docs are bad....disjointed and impossible to follow is the most accurate description I've seen of them.
Good video, although lengthy. I did appreciate the honesty of the first part, seems that the most knowledgeable among us also struggle with the same stuff we all do. As it happens I was actually in need of this knowledge as I was running into the exact same issue. Going to give it a try next week. Thanks!!!
I just started going through all of this again for my prod env and following the steps to confirm what already exists vs what we need to add. Message me on Twitter DM if you get stuck. @AdamGrossTX
Well I feel like a dummy, but I'm one happy dummy right now. I went over the entire video three times trying to figure out where I was going wrong... I never made my PDC the 2016 server. Once I got this issue resolved, it resolved 3-4 other issues I had in queue for this. Thank you guys so much for this content and providing the sources you're using. I wouldn't have figured out my noob-like blunder otherwise!
Great video, very useful, thank you! volume normalisation between the 2 of you would be good though. I have to have one of you booming in order to hear the other clearly.
Great tutorial ! - thank you ! In regards of the CDP folder permissions - To avoid adding "EveryOne -> Full" - place the folder on another server ( tested OK ) , or it might work on another drive .
Hey guys, really loving these guides. As an IT admin completely new to a pre-existing Intune setup, these guides have proven invaluable for me to begin to understand how it works. It is also reassuring that despite my frustrations with Intune at times, even experienced professionals still have their difficulties with it too. With that said, I also have been having a bit of trouble with fluctuations with my enrolled device's compliance and frequently see false positives occur. Is this normal behaviour for Intune when changes occur (like new OS versions being released) or does something in the configuration need addressing?
As the SCCM administrator, and having no access to our cloud based infrastructure... watching this made me sad that we'll simply never be able to enjoy this feature. Way too many asks for those above my paygrade. Excellent video regardless of the complexity.
Great and honest video. Appreciate the hard work. Been watching for awhile and slowly deploying Intune in our environment. But had a question, at the end where it was working as I'm a bit confused.. is this still considered Hybrid Azure AD Key Trust model. It's supposed to not have any certificates deployed to machines and yet you uploaded the rootca into a config profile and deployed it to all devices. So doesn't that make this the Hybrid Azure Ad Certificate model??
Hey Steve/Adam. Great Video, when you filming the first attempt live, what was the cause of the problem or did you just start again? I only ask because, although I can see Kerberos tickets been granted using the keys, I still get a message saying that it can't reach the a domain controller?
Check out Hybrid Cloud Trust. It’s far easier to configure and much faster user provisioning. docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust If you get stuck, come over to aka.ms/WinAdmins and ask for @AJF or @AdamGrossTX
Quick question as I'm new to all of this. When I change the certificate what happens to the on-prem machines? Are there any issues with changing the DC cert or does it just work? Thanks for your help and your videos are brilliant. Helped me alot.
have a look at this updated video: ruclips.net/video/q0Y4g0dcOY4/видео.html where Steve and Adam talk about the newer option of Windows Hello for Business, that is way more easier to implement and use
Thank you for the video. I have a question regarding 2012R2 domain controllers. If i understood correctly, we can deploy Hybrid Azure AD Key Trust, as long as the Schema is 2016. Is there a disadvantage to doing this?
Hey Guys, you made my day! I followed the docs and read the blablabla up and down, from left to right and at some point there was only a whaaat??? 😅 I don't understand why there is no better connector for this shit, or a clean documentation. I came from local server 2008 Domain and i am new with Azure, so i spent the hole last week to solve that issue! But PIN Login with hybrid joint devices doesnt seems to work with this guide 🤬 Azure only is no way to go now, i need gpos for printerconnection, offline devices, application deploy and so on. My nightmare goes on with EAS not working with Proxy enabled, Hello with hybrid AD joined devices and the thing with upgrade exchange 2010 to 2019 with hybrid environment 🥶🥶🥶
I’m kind a late but I recently got a Microsoft support job supporting this type of stuff were you able to deploy windows Hello for business using everything here? I need to build a mandatory windows Hello for business lab later
Do you have to be on the same network as the resource and DC? For example: what if you opened up a port through firewall to http on IIS that uses NT auth. Yet the computer is on a random hotel wifi network. Not VPN to coorporate.
@@IntuneTraining Thanks, so to verify you do have to be on the same network as your DC for this to work? Also I assume the on prem AD dns? Not just line of site to the resource, but line of site to the DC and be on the DNS of on prem AD.
I'm just wondering, have safe is using a PIN really? Because i can predict that people will use the same PIN for all there devices. So changes that the PIN will be compromised is very high. Fingerprint, Face recognition or a hardware key seems a better/safer solution in my opinion. in combination with a PIN gives you 2FA if that is possible. But why is it that we need to configure a PIN as a backup login solution when you choose any Windows Hello option? Sure i understand that it is for when you Windows Hello Face, Finger or Hardware key doesn't work, but this makes the whole Windows Hello solution insecure in my opinion.
Hey guys, love the vids... thanks a lot! At the moment I'm trying to turn windows hello pin OFF for all our users though intune and remove any current pins that are put in place. Is this possible?
Hey Thanks for that, I'm having issues where after autopilot it takes an hour or two to start working, if i add the certificate manually and restart, it works straight away. Any insight into this?
Do you see it on your home network too? Or just in the office? If in office check to see if you have the SSL inspection removed from the Intune endpoints
@@IntuneTraining just in the office, SSL inspection has been removed already, is it possible that its waiting for an ADSync to replicate before working?
Probably. If you haven’t configured trust then you aren’t using hello for business, just hello. They aren’t the same. Stay tuned, we have a video on Hybrid Cloud Trust coming soon which should make this easier to set up.
@@IntuneTraining - Wanted to thank you for this video. This is going to helps us transition to a pure cloud solution. I enjoyed seeing the troubleshooting and it gave me more of in depth look at how this worked. I have it up and working for specific users.
Steve and Adam, I like your Intune Trainings a lot, but on this particular Episode.... it's a bit difficult to follow as a viewer, Well like Adam says" We're doing it live"
Steve, I followed along and got all this setup to work with a Hybrid Azure AD joined device. However, I am still running into the same issue where login is not possible to use the PIN or finger print. I want to offer and suggest asking to come on to your show with my environment and working what ever the issue is to get this exact same setup / configuration to work with a Windows 10 Hybrid Azure AD joined device. Lets do a real/live troubleshooting session? Thanks Lacy Phoenixtekk SCCM/Endpoint Architects ExMSIT
At a high level ADFS is not required for windows hello for business, it's only required if doing certificate based trust model which isn't a great solution to be honest, whole heap more moving parts then hybrid key trust.
We agree. Have you seen Hybrid Cloud Trust? Same result, WAAAYY simpler. S04E03 - Configuring Hybrid Cloud Trust - (I.T) ruclips.net/video/q0Y4g0dcOY4/видео.html
@@IntuneTraining I have, and I followed that video, now I'm in a situation where Windows Hello will activate when the configuration profile is activated, but after implementation all PCS go directly to 'Not available at this time.' I cannot determine the cause yet. Very frustrating.
Dudes, I love your videos. I love how it always goes wrong but you always manage to fix it. This is exactly how me and my co-worker work! keep on the great work guys
Thank you for your wonderful videos and the time and effort it takes to make them. It's a breath of fresh air to see a start to finish on this topic that includes some bloopers.
Glad I'm not the only one that found the docs disjointed and impossible to follow - thanks for the video!
The day before yesterday I spent the whole day figuring out how to get the partner center stuff going so I can use autopilot with only s/n+model+manufacturer without opening the box to get the hardware hash. What a pain that was!
A lot of microsoft docs are great, but good lord the WHfB docs are bad....disjointed and impossible to follow is the most accurate description I've seen of them.
Good video, although lengthy. I did appreciate the honesty of the first part, seems that the most knowledgeable among us also struggle with the same stuff we all do. As it happens I was actually in need of this knowledge as I was running into the exact same issue. Going to give it a try next week. Thanks!!!
I just started going through all of this again for my prod env and following the steps to confirm what already exists vs what we need to add. Message me on Twitter DM if you get stuck. @AdamGrossTX
Intune Training I will do that! Thanks for offering.
Well I feel like a dummy, but I'm one happy dummy right now. I went over the entire video three times trying to figure out where I was going wrong... I never made my PDC the 2016 server. Once I got this issue resolved, it resolved 3-4 other issues I had in queue for this. Thank you guys so much for this content and providing the sources you're using. I wouldn't have figured out my noob-like blunder otherwise!
Great video, very useful, thank you!
volume normalisation between the 2 of you would be good though. I have to have one of you booming in order to hear the other clearly.
Great tutorial ! - thank you !
In regards of the CDP folder permissions -
To avoid adding "EveryOne -> Full" - place the folder on another server ( tested OK ) , or it might work on another drive .
Haha hilarious watching the entire thing. :) Enjoyed it a lot, thanks!
Hey guys, really loving these guides. As an IT admin completely new to a pre-existing Intune setup, these guides have proven invaluable for me to begin to understand how it works. It is also reassuring that despite my frustrations with Intune at times, even experienced professionals still have their difficulties with it too. With that said, I also have been having a bit of trouble with fluctuations with my enrolled device's compliance and frequently see false positives occur. Is this normal behaviour for Intune when changes occur (like new OS versions being released) or does something in the configuration need addressing?
As the SCCM administrator, and having no access to our cloud based infrastructure... watching this made me sad that we'll simply never be able to enjoy this feature. Way too many asks for those above my paygrade. Excellent video regardless of the complexity.
That’s a bummer. Check back next week - we’re going to be covering Hybrid Cloud Trust. It only takes a few mins and a few lines of PowerShell.
Nice, was struggling with this the other day...
Great and honest video. Appreciate the hard work. Been watching for awhile and slowly deploying Intune in our environment. But had a question, at the end where it was working as I'm a bit confused.. is this still considered Hybrid Azure AD Key Trust model. It's supposed to not have any certificates deployed to machines and yet you uploaded the rootca into a config profile and deployed it to all devices. So doesn't that make this the Hybrid Azure Ad Certificate model??
Hybrid key trust only needs to have the root CA deployed, while cert trust needs to have a user/device cert along with the root ca
Great session thanks for your efforts
Hi Guys, will this work with Hybrid AD Joined Windows 10 Devices?
Hey Steve/Adam. Great Video, when you filming the first attempt live, what was the cause of the problem or did you just start again? I only ask because, although I can see Kerberos tickets been granted using the keys, I still get a message saying that it can't reach the a domain controller?
Is there more up-to date blog/video how to achive hybrid-ad windows hello? The blog post in the description is dead :(
Check out Hybrid Cloud Trust. It’s far easier to configure and much faster user provisioning.
docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
If you get stuck, come over to aka.ms/WinAdmins and ask for @AJF or @AdamGrossTX
Hi, Thanks for making this great video. I just wonder to know If we could Remote Desktop login with fingerprint ?
Quick question as I'm new to all of this. When I change the certificate what happens to the on-prem machines? Are there any issues with changing the DC cert or does it just work? Thanks for your help and your videos are brilliant. Helped me alot.
This video is just what I needed, but I paused it because I'm having a serious problem with the Certificate Template not being available to be issued.
have a look at this updated video: ruclips.net/video/q0Y4g0dcOY4/видео.html where Steve and Adam talk about the newer option of Windows Hello for Business, that is way more easier to implement and use
If I am interested in on-premise implementation can I do that only with pt. 2 of the episode?
Thank you for the video. I have a question regarding 2012R2 domain controllers. If i understood correctly, we can deploy Hybrid Azure AD Key Trust, as long as the Schema is 2016. Is there a disadvantage to doing this?
You need a 2016 DC in every AD site. The Schema can be 2012R2.
You see your sites in the program Active Directory Sites and Services.
Hey Guys, you made my day! I followed the docs and read the blablabla up and down, from left to right and at some point there was only a whaaat??? 😅 I don't understand why there is no better connector for this shit, or a clean documentation. I came from local server 2008 Domain and i am new with Azure, so i spent the hole last week to solve that issue! But PIN Login with hybrid joint devices doesnt seems to work with this guide 🤬 Azure only is no way to go now, i need gpos for printerconnection, offline devices, application deploy and so on. My nightmare goes on with EAS not working with Proxy enabled, Hello with hybrid AD joined devices and the thing with upgrade exchange 2010 to 2019 with hybrid environment 🥶🥶🥶
I’m kind a late but I recently got a Microsoft support job supporting this type of stuff were you able to deploy windows Hello for business using everything here? I need to build a mandatory windows Hello for business lab later
Hello guys,
after first pin registration, Could I use WHFB without internet connection?
Do you have to be on the same network as the resource and DC? For example: what if you opened up a port through firewall to http on IIS that uses NT auth. Yet the computer is on a random hotel wifi network. Not VPN to coorporate.
Use Azure App Proxy to do that.
@@IntuneTraining Thanks, so to verify you do have to be on the same network as your DC for this to work? Also I assume the on prem AD dns? Not just line of site to the resource, but line of site to the DC and be on the DNS of on prem AD.
How do you get password or pin notification in AAD joined machines when it's getting expired or how users will know password or pin expiry
i love your video, steve im based in sydney as well and would love to meet up with you one day
Make sure you come on down to workplace ninja in a couple of weeks 😏
@@IntuneTraining is it 27 august at denison north sydney?
Sign up here www.meetup.com/workplace-ninja-user-group-australia/events/302012219
I'm just wondering, have safe is using a PIN really?
Because i can predict that people will use the same PIN for all there devices.
So changes that the PIN will be compromised is very high.
Fingerprint, Face recognition or a hardware key seems a better/safer solution in my opinion.
in combination with a PIN gives you 2FA if that is possible.
But why is it that we need to configure a PIN as a backup login solution when you choose any Windows Hello option?
Sure i understand that it is for when you Windows Hello Face, Finger or Hardware key doesn't work, but this makes the whole Windows Hello solution insecure in my opinion.
What rights are actually needed on the cdp folder?
Hey guys, love the vids... thanks a lot!
At the moment I'm trying to turn windows hello pin OFF for all our users though intune and remove any current pins that are put in place.
Is this possible?
There are policies to disable hello and hello pin/biometrics
Is this information still accurate given the fact that the blog post you are referencing was written in 2017?
Hey Thanks for that, I'm having issues where after autopilot it takes an hour or two to start working, if i add the certificate manually and restart, it works straight away. Any insight into this?
Do you see it on your home network too? Or just in the office? If in office check to see if you have the SSL inspection removed from the Intune endpoints
@@IntuneTraining just in the office, SSL inspection has been removed already, is it possible that its waiting for an ADSync to replicate before working?
It absolutely must wait for AAD Connect to sync, so that could be impacting you
Hey, I've been getting "Your credentials could not be verified" after setting up Win Hello on MDM, would the above solve this issue?
Probably. If you haven’t configured trust then you aren’t using hello for business, just hello. They aren’t the same.
Stay tuned, we have a video on Hybrid Cloud Trust coming soon which should make this easier to set up.
@@IntuneTraining yea thought as much after some digging and the troubleshooting article you posted on one of the vids. Thanks looking forward to it.
Please post the complete steps on how you get this set up
Steve & Adam... Do you still recommend following the first article you mention for setting up?
Yes
@@IntuneTraining - Wanted to thank you for this video. This is going to helps us transition to a pure cloud solution. I enjoyed seeing the troubleshooting and it gave me more of in depth look at how this worked. I have it up and working for specific users.
Hi @all
Have U got a Blog documentating Part2 of this Setup?
Great Work - but hard to follow up :-)
Part 2 was added to the end of their first video. Start at about 75 minutes into the video and you'll see where Adam starts over again.
Steve and Adam, I like your Intune Trainings a lot, but on this particular Episode.... it's a bit difficult to follow as a viewer, Well like Adam says" We're doing it live"
Need to add an option on how to assign windows 10 hello for business for some users not all users. That would be great. thanks guys
You can create a Device Configuration Profile - select "Identity protection" as your Profile type.
Intune Training - thanks guys, worked perfectly
Steve, I followed along and got all this setup to work with a Hybrid Azure AD joined device. However, I am still running into the same issue where login is not possible to use the PIN or finger print. I want to offer and suggest asking to come on to your show with my environment and working what ever the issue is to get this exact same setup / configuration to work with a Windows 10 Hybrid Azure AD joined device. Lets do a real/live troubleshooting session?
Thanks
Lacy
Phoenixtekk
SCCM/Endpoint Architects
ExMSIT
HI Guys, can anyone confirm if I need ADFS for me to enable Windows Hello on a Hybrid AD joined devices?
At a high level ADFS is not required for windows hello for business, it's only required if doing certificate based trust model which isn't a great solution to be honest, whole heap more moving parts then hybrid key trust.
@@IntuneTraining thanks a lot ❤️
I found that end users forgot their passwords more often because they did not have to type them in very often. lol
Can you please do another cleaner video on this topic,
Try this one that Steve did at a user group.
ruclips.net/video/z3XOJNoGAtI/видео.html
Implementing this has been one of the worst experiences. Nothing seems to ever work.
We agree. Have you seen Hybrid Cloud Trust? Same result, WAAAYY simpler.
S04E03 - Configuring Hybrid Cloud Trust - (I.T)
ruclips.net/video/q0Y4g0dcOY4/видео.html
@@IntuneTraining I have, and I followed that video, now I'm in a situation where Windows Hello will activate when the configuration profile is activated, but after implementation all PCS go directly to 'Not available at this time.' I cannot determine the cause yet. Very frustrating.
not sure, what you are trying to accomplish.. video is not clear to understand.
To be fair, 90% of your troubles was basic understanding of how remote access to VM's and certificates work.
please explain what you mean.
@@IntuneTraining The video speaks for itself :-)