Windows Hello for Business - Cloud Kerberos Trust - Hybrid
- Florian Salzmann
- Posted on 15 Jul, 2022
- Updated on 28 Jan, 2025
- 03 Mins read
- Microsoft Intune,Security,Windows 10,Windows 11
With the “Hybrid Cloud Trust Deployment” it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).
Requirements
- Windows 10, version 21H2 or Windows 11
- Multi factor authentication
- Fully patched Windows Server 2016 or later domain controllers
- Azure AD Kerberos PowerShell module
- MDM managed device
Azure AD Configuration - Kerberos
First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Second, we now create the Kerberos server object:
$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin
# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
Windows Hello for Business policy with Intune
Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO’s, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs
Activate Windows Hello for Business
To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.
Activation tenant-wide
You can activate tenant-wide under “Devices > Windows > Windows enrollment”. If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.
Activation with a policy
To activate only a certain circle, you can go to “Devices> Windows> Configuration profiles” create a new “Identity Protection” profile.
In the settings it is important that “Use a Trusted Platform Module (TPM)” is active.
Create Cloud Kerberos Trust Policy
In the past, to configure Cloud Kerberos Trust for devices via Intune, we needed to create a Custom Profile with an OMA-URI. This required manually entering details like your Tenant ID into the configuration. Here’s a quick reminder of how it used to work:
Old Method: Using a Custom Profile
- Navigate to Devices > Windows > Configuration Profiles and click on +Create profile.
- Select a Custom Profile.
- Set up an entry with the following OMA-URI:
- Name:
UseCloudTrustForOnPremAuth - Description: Windows Hello for Business cloud trust
- OMA-URI:
./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth - Data Type: Boolean
- Value: True
- Name:
Now, instead of manually creating this policy with OMA-URI, Intune has simplified the process by allowing you to configure Cloud Kerberos Trust directly through a Settings Catalog policy.
New Method: Using the Settings Catalog in Intune
- Go to: Devices > Windows > Configuration Profiles, and click on +Create profile.
- Platform: Select Windows 10 and later.
- Profile type: Select Settings Catalog.
- Name the Profile (e.g., “WIN-CloudKerberosTrust”).
- Under Configuration settings, click Add settings.
- Search for “Windows Hello for Business”.
- Select the setting for Use Cloud Kerberos Trust for On Prem Auth.
- Set the value to Enabled.
- Assign the profile to the appropriate device groups.

If you have previously used a certificate for on prem out, make sure you deactivate it (marked in blue above).
Summary
Thanks to Windows Hello for Business Cloud Trust, it’s much easier to get a Kerberos authentication trusted by Windows Hello from a cloud-only device (Azure AD joined).
For me, there are few to no reasons to use hybrid joined devices. - All thanks to this great feature!





