I'm struggling to find adequate documentation on WHfB compatibility under 24.2. I've pieced together some information from various discussions on this forum and what tidbits are mentioned in official documentation.
Most of our fleet are hybrid joined AD & AAD so that the user logs in via local AD at the login screen but is also connected to AAD automatically.
According to 24.2 documentation and release announcements, WHfB should allow Zen login under both AAD-Only and Hybrid. In my experience so far, it works under AAD-Only but not Hybrid. This may be a configuration issue but there is virtually no documentation to help guide a proper configuration.
AAD-Only device, AlternateAzureDomain NOT SET
-using a password, the AAD device will automatically authenticate Zenworks against local AD user source, not AAD. I assume this is some sort of password handoff login process and I was surprised to see it worked like this.
-WHfB login will not authenticate Zen.
AAD-Only device, AlternateAzureDomain registry value set to netbios name of my local AD
-Zen will prompt for an AAD login after reaching the desktop. This prompt clearly displays the full email address of the user it detected and directs me to log in to Azure with the same user.
-Works with WHfB or password login.
Hybrid device, AlternateAzureDomain NOT SET
-Zen only authenticates after logging in to Windows with a password.
-WHfB login results in Zen not logged in.
Hybrid device, AlternateAzureDomain registry value set to netbios name of my local AD
-Zen will prompt for AAD login, however Zen is displaying the short username, not the full email address of the user as it did on the AAD-Only device. If I proceed to log in anyway, this results in an error stating that I have logged in with the wrong account and to pick the account that matches. I suspect it is failing to detect the full AAD user name.
What does AlternateAzureDomain do? Does it help Zen locate the username to match against Azure? If so, why does this not work in a hybrid configuration? I tried domain suffix of both Azure and local AD to no avail.
Does WHfB Zen login require the use of an Azure AD user source or can it be used against a local AD source? This is never clearly stated. Documentation only says that both AAD-Only and Hybrid are supported but mentions needing a specific kind of user source.
Whenever AlternateAzureDomain is not set (or is set to a value that isn't helping), upon logging in on a hybrid device via WHfB, the zmd messages log displays a line that states that WHfB is skipped because this isn't a domain login. There are no other useful WHfB log entries with log in debug mode.
I also tried tinkering with the local AD user UPN suffix to match Azure FQDN but that makes no difference. This is a common scenario where the Azure FQDN and email domain (domain.org) doesn't match local AD FQDN and UPN suffix (domain.net), so the local AD user's UPN suffix is updated to match Azure/email (upn=user@domain.org). I almost didn't want to mention his because I didn't want to create an confusion but I tried it both ways so that probably isn't a factor.
Is there any better documentation out there or does anyone have WHfB working with Zen on hybrid devices that might share their configuration?