Especially, if there hasn't been a PKI before. After this step, they won’t have to perform this step again. I also include network traffic to see what goes on with Kerberos. This is carried out transparently. Sorry, I was a bit all over the place in the initial post.

Use TPM-backed certificate authentication to provide secure access to the end-user both in deployment and access to: Use Credential Guard to isolate and protect secrets (e.g., NTLM hashes / Kerberos ticket-granting tickets). Post was not sent - check your email addresses! For more information on these interesting topics, please contact us at Route443. TBF ADCS is a lot more complicated to setup than Group Policy and it's not the kind of thing you want to half-ass. This is an Azure AD joined device, with TPM-backed private keys for certificates created during the enrollment being stored in TPM. Internal PKI is super super common and with a Windows domain really easy to do. The Out of Box Experience (OoBE) lands the user on the tenant branded logon screen. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. With device configuration profiles defined in Microsoft Intune and assigned to devices, the AADJ client will receive the appropriate configuration. Work out the requirements. DFS is the only real reason I still need to domain join workstations. Just following the guide has NOT helped. I had to decommission and replace our old 1-tier PKI, which gave me a bit of a headache at first. Next one will be a hybrid cert trust. PKI is the part that I was commenting doesnt scale down. Intune provides options for falling back to a software-based credential, should the need arise. Doing an internal PKI for AD is very easy because you can do validation of certs with just the directory itself...when you start having to set up OCSP, CRLs, AIA points, etc.

With Multi-Factor Authentication (MFA) enabled in the tenant and phone sign-in configured for the user, the Microsoft Authenticator app can be used to do passwordless sign-in. You don't need pki if you do a 2016 DC with hybrid joined win10 devices. 2FA is what I want for workstation logins, Windows Hello for Business is the native option. This is to satisfy access conditions for Single Sign-On (SSO) for Windows Hello for Business against the on-premise domain. Windows 10 Passwordless – Azure AD Join, Microsoft Intune and Windows Hello for Business, Shifting to Adaptive Authentication and Cloud-Based Security, SAML authentication for Citrix XenDesktop and XenApp, Provision the machine using Windows Autopilot and onboard the user using multi-factor authentication (sans password), Use Windows Hello for Business for Multi-Factor Authentication (MFA) via biometric gestures and PIN for fallback.

I'm currently going through this, and I've just opened an advisory case with MS to help me with any roadblocks I encounter. We've just done this for a fairly complex scenario that needs both internal and external certificate validation, and the posts here are right -- it's fairly easy to set up but half-assing it will kill you down the road. We currently have requirements for Domain Joined computers primarily so we can continue to use DFS/File Shares. A reddit dedicated to the profession of Computer System Administration. It’s worth pointing out that this functionality is not specific Windows Hello for Business, but for AADJ clients as a whole that wish to communicate with on-premise resources.