With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).
Table of Contents
Requirements
- Windows 10, version 21H2 or Windows 11
- Multi factor authentication
- Fully patched Windows Server 2016 or later domain controllers
- Azure AD Kerberos PowerShell module
- MDM managed device
Azure AD Configuration - Kerberos
First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Code language: PowerShell (powershell)
Second, we now create the Kerberos server object:
$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin
# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)
Windows Hello for Business policy with Intune
Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs
Activate Windows Hello for Business
To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.
Activation tenant-wide
You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.

Activation with a policy
To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile
In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Create Cloud Trust Policy
To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.
You create the policy under "Devices > Windows > Configuration profiles +Create profile".
Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI"YourTenantID" with your Tenant ID. (You can find the ID here)
Name | UseCloudTrustForOnPremAuth |
Description | Windows Hello for Business cloud trust |
ORA Uri | ./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth |
Data type | boolean |
Value | True |

Hallo, vielen Dank für das Tutorial. Mir ist aufgefallen, dass in hybriden Systemen dann die Anmeldung am Terminalserver oder anderen RDP Systemen nicht mit Hello möglich ist
Hallo Peter
Ja, leider unterstützt RDP die Windows Hello Anmeldung aktuell noch nicht.