Skip to content
Home » Windows Hello for Business - Cloud Trust - Hybrid

Windows Hello for Business - Cloud Trust - Hybrid

Hybrid Cloud Trust Deployment

With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).

Table of Contents

Requirements

  • Windows 10, version 21H2 or Windows 11
  • Multi factor authentication
  • Fully patched Windows Server 2016 or later domain controllers
  • Azure AD Kerberos PowerShell module
  • MDM managed device

Azure AD Configuration - Kerberos

First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):

# First, ensure TLS 1.2 for PowerShell gallery access. [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12 # Install the Azure AD Kerberos PowerShell Module. Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Code language: PowerShell (powershell)

Second, we now create the Kerberos server object:

$Domain = Read-Host "Your local AD Domain name" $CloudUPN = Read-Host "A Global Administrator in your Azure AD." $DomainCred = Get-Credential # local AD Admin # Create and publish the new Azure AD Kerberos Server object Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred # Verify Kerberos object Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)

Windows Hello for Business policy with Intune

Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) – Windows security | Microsoft Docs

Activate Windows Hello for Business

To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.

Activation tenant-wide

You can activate tenant-wide under «Devices > Windows > Windows enrollment" make. If you choose this option, all devices will ask for the Windows Hello configuration on enrollment.

Enable Windows Hello for Business, tenant-wide

Activation with a policy

In order to carry out the activation only for a certain circle, you can under «Devices> Windows> Configuration profiles» create a new «Identity Protection» profile

Intune - Identity protection profile
Intune - Identity protection profile - name

In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Intune - Identity protection profile - settings

Create Cloud Trust Policy

To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.

You create the guideline under «Devices > Windows > Configuration profiles +Create profile«.

Intune - custom configuration profile
Intune - custom configuration profile - name and description

Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI «YourTenantID» replaced with your Tenant ID. (You can find the ID here)

SurnameUseCloudTrustForOnPremAuth
descriptionWindows Hello for Business cloud trust
ORA Uri./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth
Data typeboolean
ValueTrue
Intune profile WH4B cloud trust

Leave a Reply

Your email address will not be published.