With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).
Table of Contents
Requirements
- Windows 10, version 21H2 or Windows 11
- Multi factor authentication
- Fully patched Windows Server 2016 or later domain controllers
- Azure AD Kerberos PowerShell module
- MDM managed device
Azure AD Configuration - Kerberos
First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Code language: PowerShell (powershell)
Second, we now create the Kerberos server object:
$Domain = Read-Host "Your local AD Domain name"
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential # local AD Admin
# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)
Windows Hello for Business policy with Intune
Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) – Windows security | Microsoft Docs
Activate Windows Hello for Business
To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.
Activation tenant-wide
You can activate tenant-wide under «Devices > Windows > Windows enrollment" make. If you choose this option, all devices will ask for the Windows Hello configuration on enrollment.

Activation with a policy
In order to carry out the activation only for a certain circle, you can under «Devices> Windows> Configuration profiles» create a new «Identity Protection» profile
In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Create Cloud Trust Policy
To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.
You create the guideline under «Devices > Windows > Configuration profiles +Create profile«.
Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI «YourTenantID» replaced with your Tenant ID. (You can find the ID here)
Surname | UseCloudTrustForOnPremAuth |
description | Windows Hello for Business cloud trust |
ORA Uri | ./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth |
Data type | boolean |
Value | True |
