With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).

Table of Contents


  • Windows 10, version 21H2 or Windows 11
  • Multi factor authentication
  • Fully patched Windows Server 2016 or later domain controllers
  • Azure AD Kerberos PowerShell module
  • MDM managed device

Azure AD Configuration - Kerberos

First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):

# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobberCode language: PowerShell (powershell)

Second, we now create the Kerberos server object:

$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin

# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred

# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)

Windows Hello for Business policy with Intune

Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs

Activate Windows Hello for Business

To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.

Activation tenant-wide

You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.

Enable Windows Hello for Business, Tenant-wide

Activation with a policy

To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile.

In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Intune - Identity protection profile - settings

Create Cloud Trust Policy

To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.

You create the policy under "Devices > Windows > Configuration profiles +Create profile".

Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI"YourTenantID" with your Tenant ID. (You can find the ID here)

BeschreibungWindows Hello for Business cloud trust
Data typeBoolean
Intune profile WH4B cloud trust


Thanks to Windows Hello for Business Cloud Trust, it's much easier to get a Kerberos authentication trusted by Windows Hello from a cloud-only device (Azure AD joined).
For me, there are few to no reasons to use hybrid joined devices. - All thanks to this great feature!