With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).
Table of Contents
Requirements
- Windows 10, version 21H2 or Windows 11
- Multi factor authentication
- Fully patched Windows Server 2016 or later domain controllers
- Azure AD Kerberos PowerShell module
- MDM managed device
Azure AD Configuration - Kerberos
First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobberSecond, we now create the Kerberos server object:
$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin
# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
Windows Hello for Business policy with Intune
Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs
Activate Windows Hello for Business
To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.
Activation tenant-wide
You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.
Activation with a policy
To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile.
In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.
Create Cloud Kerberos Trust Policy
In the past, to configure Cloud Kerberos Trust for devices via Intune, we needed to create a Custom Profile with an OMA-URI. This required manually entering details like your Tenant ID into the configuration. Here's a quick reminder of how it used to work:
Old Method: Using a Custom Profile
- Navigate to Devices > Windows > Configuration Profiles and click on +Create profile.
- Select a Custom Profile.
- Set up an entry with the following OMA-URI:
- Name:
UseCloudTrustForOnPremAuth - Description: Windows Hello for Business cloud trust
- OMA-URI:
./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth - Data Type: Boolean
- Value: True
- Name:
Now, instead of manually creating this policy with OMA-URI, Intune has simplified the process by allowing you to configure Cloud Kerberos Trust directly through a Settings Catalog policy.
New Method: Using the Settings Catalog in Intune
- Go to: Devices > Windows > Configuration Profiles, and click on +Create profile.
- Platform: Select Windows 10 and later.
- Profile type: Select Settings Catalog.
- Name the Profile (e.g., "WIN-CloudKerberosTrust").
- Under Configuration settings, click Add settings.
- Search for "Windows Hello for Business".
- Select the setting for Use Cloud Kerberos Trust for On Prem Auth.
- Set the value to Enabled.
- Assign the profile to the appropriate device groups.
If you have previously used a certificate for on prem out, make sure you deactivate it (marked in blue above).
Summary
Thanks to Windows Hello for Business Cloud Trust, it's much easier to get a Kerberos authentication trusted by Windows Hello from a cloud-only device (Azure AD joined).
For me, there are few to no reasons to use hybrid joined devices. - All thanks to this great feature!
Hallo, vielen Dank für das Tutorial. Mir ist aufgefallen, dass in hybriden Systemen dann die Anmeldung am Terminalserver oder anderen RDP Systemen nicht mit Hello möglich ist
Hallo Peter
Ja, leider unterstützt RDP die Windows Hello Anmeldung aktuell noch nicht.
Hi,
Do you have any advise or pointers where I can investigate this not working?
I have the policies applied, and i can see the endpoints correctly configured. However, when users sign in with their PIN, or face-id they are still being prompted for credentials. When they lock and sign back in using password then it allows access to local resources.
It seems as they the devices are just not pulling a tgt at login when they have line of sight to the DC.
Thanks
James
Hi James, it sounds like there is an old GPO or registry left.
Could you check the registry path and delete any keys in it?
HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork