With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).

Table of Contents

Requirements

  • Windows 10, version 21H2 or Windows 11
  • Multi factor authentication
  • Fully patched Windows Server 2016 or later domain controllers
  • Azure AD Kerberos PowerShell module
  • MDM managed device

Azure AD Configuration - Kerberos

First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):

# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

Second, we now create the Kerberos server object:

$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin

# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred

# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred

Windows Hello for Business policy with Intune

Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs

Activate Windows Hello for Business

To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.

Activation tenant-wide

You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.

Enable Windows Hello for Business, Tenant-wide

Activation with a policy

To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile.

In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Intune - Identity protection profile - settings

Create Cloud Kerberos Trust Policy

In the past, to configure Cloud Kerberos Trust for devices via Intune, we needed to create a Custom Profile with an OMA-URI. This required manually entering details like your Tenant ID into the configuration. Here's a quick reminder of how it used to work:

Old Method: Using a Custom Profile

  1. Navigate to Devices > Windows > Configuration Profiles and click on +Create profile.
  2. Select a Custom Profile.
  3. Set up an entry with the following OMA-URI:
    • Name: UseCloudTrustForOnPremAuth
    • Description: Windows Hello for Business cloud trust
    • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/YourTenantID/Policies/UseCloudTrustForOnPremAuth
    • Data Type: Boolean
    • Value: True
Intune profile WH4B cloud trust

Now, instead of manually creating this policy with OMA-URI, Intune has simplified the process by allowing you to configure Cloud Kerberos Trust directly through a Settings Catalog policy.

New Method: Using the Settings Catalog in Intune

  1. Go to: Devices > Windows > Configuration Profiles, and click on +Create profile.
  2. Platform: Select Windows 10 and later.
  3. Profile type: Select Settings Catalog.
  4. Name the Profile (e.g., "WIN-CloudKerberosTrust").
  5. Under Configuration settings, click Add settings.
  6. Search for "Windows Hello for Business".
  7. Select the setting for Use Cloud Kerberos Trust for On Prem Auth.
  8. Set the value to Enabled.
  9. Assign the profile to the appropriate device groups.
Enable Cloud Kerberos Trust with settings catalog

If you have previously used a certificate for on prem out, make sure you deactivate it (marked in blue above).

Summary

Thanks to Windows Hello for Business Cloud Trust, it's much easier to get a Kerberos authentication trusted by Windows Hello from a cloud-only device (Azure AD joined).
For me, there are few to no reasons to use hybrid joined devices. - All thanks to this great feature!