Upgrade the Azure AD Domain Services Domain Controllers to be Windows Server 2016 instead of Windows Server 2012 R2.
We've switched to having our domain be AAD Domain Services and connected to our Office 365 domain and we'd like to enable Windows Hello for Business, but until those domain controllers are upgraded we can't utilize it. This makes the nice fingerprint scanners on our new machines useless.
Elliot Huffman commented
I've got one better, why not Server 2019?
David Schlum commented
We too find ourselves in a position of wanting Windows Hello for Business on Azure AD DS domain-joined Windows 10 Enterprise machines. We are a consulting company and do a TON of remote desktop connectivity. We were unable to use RDP to Windows 10 machines that were only Azure AD-joined without disabling NLA on the RDP settings. The solution was to domain-join the machines instead but when that happened, even though they are still connected to Azure AD, they will no longer allow me to enable Windows Hello For Business on the device.
It does seem that the Hybrid AD DS deployment is normally the answer for this outside of Azure AD DS.
When you say that you can already do Windows Hello For Business directly, can you provide some documentation of how that is supposed to work? I've been searching for hours upon hours and it appears that as soon as you domain join, you lose that ability from Azure AD.
Mike Stephens commented
We are considering 2016 DCs, but not for the use case you describe. Azure AD DS was not desinged to be federated with Azure Active Directory. You have Azure Active Directory (with your Office 365 subscription) so you can already do Windows Hello For Business direcly with Azure. AAD DS is an extension AAD that provides support for legacy applications that use Kerberos, NTLM, LDAP, and other legacy protocols. Azure AD DS cannot be used as a hybrid AD DS deployment with Azure. Also, Azure AD DS will not work (even with 2016) with WHFB's current design. That said, we are also investiging how we can bring passwordles to Azure AD Domain Services.
Senior Program Manager
Azure Fabric | Domain Services
It is silly that the cutting edge cloud platform is using 2012 for compatibility, there should be the latest windows (even beta) options available for features. There is no reason Microsoft's own platform should be lagging behind so much.
Ability to use the latest security features should be something always supported by azure products.