Skip to content
Hybrid Cloud Trust Deployment
Home » Windows Hello for Business - Cloud Trust - Hybrid

Windows Hello for Business - Cloud Trust - Hybrid

With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).

Table of Contents


  • Windows 10, version 21H2 or Windows 11
  • Multi factor authentication
  • Fully patched Windows Server 2016 or later domain controllers
  • Azure AD Kerberos PowerShell module
  • MDM managed device

Azure AD Configuration - Kerberos

First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):

# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobberCode language: PowerShell (powershell)

Second, we now create the Kerberos server object:

$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin

# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred

# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)

Windows Hello for Business policy with Intune

Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs

Activate Windows Hello for Business

To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.

Activation tenant-wide

You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.

Enable Windows Hello for Business, tenant-wide

Activation with a policy

To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile

Intune - Identity protection profile
Intune - Identity protection profile - name

In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Intune - Identity protection profile - settings

Create Cloud Trust Policy

To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.

You create the policy under "Devices > Windows > Configuration profiles +Create profile".

Intune - custom configuration profile
Intune - custom configuration profile - name and description

Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI"YourTenantID" with your Tenant ID. (You can find the ID here)

DescriptionWindows Hello for Business cloud trust
ORA Uri./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth
Data typeboolean
Intune profile WH4B cloud trust

2 thoughts on “Windows Hello for Business - Cloud Trust - Hybrid”

  1. Hallo, vielen Dank für das Tutorial. Mir ist aufgefallen, dass in hybriden Systemen dann die Anmeldung am Terminalserver oder anderen RDP Systemen nicht mit Hello möglich ist

Leave a Reply

Your email address will not be published. Required fields are marked *