We are setting up WHFB Hybrid cloud trust for our Hybrid Domain Joined PCs. We setup the Azure AD Kerberos Module. Now our devices can get the Partial TGT and is ready to be provisioned.
My question is during the actually provisioning where a user creates a PIN or the facial recognition is scanning your face, do you need line of sight to the domain controllers during the process? We’ve seen mixed results, with our users at home, so VPN is not always connected.
To set up WHfB, no. Line of sight is not needed. To login the first time with WHfB after setting up Windows Hello, yes line of sight is needed.
If somebody tries to sign in with WHfB and they have never used WHfB to login with line of sight, they will get some sort of domain error. They will have to fall back to their username and password.
If users have VPN access, they can connect to the VPN, lock their computer, then login with WHfB. Moving forward, they can use WHfB with no line of sight.
Hope that makes sense. You can set up WHfB without line of sight but it won’t work to login until it’s used once with line of sight. Very similar to how cached domain accounts work. You have to sign in once with line of sight, then those same credentials can be used without.
What is the Azure Kerberos module? I’d assume that takes care of the line of sight requirements for caching credentials if it is what I think it is.
I have this question
suppose after a month user is remote and not connected with VPN updated his hello pin.
will it require LOS to login once pin is updated.
Similar scenerio,
when user update password, and cached system password for remote user cant be updated until user is connected with vpn even though IT update the password on DC from their side