Skip to content
Hybrid Cloud Trust Deployment
Home » Windows Hello for Business - Cloud Trust - Hybrid

Windows Hello for Business - Cloud Trust - Hybrid

With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).

Table of Contents


  • Windows 10, version 21H2 or Windows 11
  • Multi factor authentication
  • Fully patched Windows Server 2016 or later domain controllers
  • Azure AD Kerberos PowerShell module
  • MDM managed device

Azure AD Configuration - Kerberos

First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):

# First, ensure TLS 1.2 for PowerShell gallery access. [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12 # Install the Azure AD Kerberos PowerShell Module. Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Code language: PowerShell (powershell)

Second, we now create the Kerberos server object:

$Domain = Read-Host "Your local AD Domain name" $CloudUPN = Read-Host "A Global Administrator in your Azure AD." $DomainCred = Get-Credential # local AD Admin # Create and publish the new Azure AD Kerberos Server object Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred # Verify Kerberos object Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)

Windows Hello for Business policy with Intune

Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs

Activate Windows Hello for Business

To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.

Activation tenant-wide

You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.

Enable Windows Hello for Business, tenant-wide

Activation with a policy

To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile

Intune - Identity protection profile
Intune - Identity protection profile - name

In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Intune - Identity protection profile - settings

Create Cloud Trust Policy

To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.

You create the policy under "Devices > Windows > Configuration profiles +Create profile".

Intune - custom configuration profile
Intune - custom configuration profile - name and description

Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI"YourTenantID" with your Tenant ID. (You can find the ID here)

DescriptionWindows Hello for Business cloud trust
ORA Uri./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth
Data typeboolean
Intune profile WH4B cloud trust

2 thoughts on “Windows Hello for Business - Cloud Trust - Hybrid”

  1. Hallo, vielen Dank für das Tutorial. Mir ist aufgefallen, dass in hybriden Systemen dann die Anmeldung am Terminalserver oder anderen RDP Systemen nicht mit Hello möglich ist

Leave a Reply

Your email address will not be published. Required fields are marked *