With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).
Table of Contents
Requirements
- Windows 10, version 21H2 or Windows 11
- Multi factor authentication
- Fully patched Windows Server 2016 or later domain controllers
- Azure AD Kerberos PowerShell module
- MDM managed device
Azure AD Configuration - Kerberos
First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Code language: PowerShell (powershell)
Second, we now create the Kerberos server object:
$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin
# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)
Windows Hello for Business policy with Intune
Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs
Activate Windows Hello for Business
To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.
Activation tenant-wide
You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.
Activation with a policy
To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile.
In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.
Create Cloud Trust Policy
To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.
You create the policy under "Devices > Windows > Configuration profiles +Create profile".
Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI"YourTenantID" with your Tenant ID. (You can find the ID here)
Name | UseCloudTrustForOnPremAuth |
Beschreibung | Windows Hello for Business cloud trust |
ORA-Uri | ./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth |
Data type | Boolean |
Value | True |
Summary
Thanks to Windows Hello for Business Cloud Trust, it's much easier to get a Kerberos authentication trusted by Windows Hello from a cloud-only device (Azure AD joined).
For me, there are few to no reasons to use hybrid joined devices. - All thanks to this great feature!
Hallo, vielen Dank für das Tutorial. Mir ist aufgefallen, dass in hybriden Systemen dann die Anmeldung am Terminalserver oder anderen RDP Systemen nicht mit Hello möglich ist
Hallo Peter
Ja, leider unterstützt RDP die Windows Hello Anmeldung aktuell noch nicht.
Hi,
Do you have any advise or pointers where I can investigate this not working?
I have the policies applied, and i can see the endpoints correctly configured. However, when users sign in with their PIN, or face-id they are still being prompted for credentials. When they lock and sign back in using password then it allows access to local resources.
It seems as they the devices are just not pulling a tgt at login when they have line of sight to the DC.
Thanks
James
Hi James, it sounds like there is an old GPO or registry left.
Could you check the registry path and delete any keys in it?
HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork