Extending ADFS for Device Registration w/ Azure AD and Windows Hello for Business RRS feed

  • Question

  • Unfortunately, I have not run across any reliable documentation around this. A lot will get you close but it seems I'm missing some piece.

    Scenario: We are o365 hosted w/ base Azure AD w/ no password writeback. We are running ADFS on Server 2019 w/ a mix base of 2019 and 2012R2 DCs. All clients can be assumed to be Win10. ADFS by itself is working great. What we are trying to do is get Windows Hello for Business working to domain joined devices (only working if hacked via registry) and device registration working across the board.

    One of the problems we are having is that non domain devices are now being prompted by ADFS as to whether a local cert to the client device can be trusted. We are not using certificate authentication so I'm not sure where this is coming from. Originally, I thought this may be just establishing a trust between the client and ADFS for device registration but the prompt to trust the cert is not a one-off and does reoccur. Any thoughts on how to make this prompt go away or at l;east make it a one-time prompt for the lifetime of the cert?

    Tuesday, August 27, 2019 1:50 PM