Windows Hello for Business - Cloud Trust - Hybrid

With the "Hybrid Cloud Trust Deployment" it is finally possible to log on to local / on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority).

Table of Contents

• Requirements
• Azure AD Configuration - Kerberos
• Windows Hello for Business policy with Intune
  • Activate Windows Hello for Business
    • Activation tenant-wide
    • Activation with a policy
  • Create Cloud Trust Policy
• Summary

Requirements

• Windows 10, version 21H2 or Windows 11
• Multi factor authentication
• Fully patched Windows Server 2016 or later domain controllers
• Azure AD Kerberos PowerShell module
• MDM managed device

Azure AD Configuration - Kerberos

First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):

# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the Azure AD Kerberos PowerShell Module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobberCode language: PowerShell (powershell)

Second, we now create the Kerberos server object:

$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin

# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred

# Verify Kerberos object
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN -DomainCredential $domainCred
Code language: PowerShell (powershell)

Windows Hello for Business policy with Intune

Intune makes it very easy to configure the policy.
If you have a local infrastructure and want to distribute the policy with GPO's, you must have the ADMX files up to date. Microsoft has a post about this in the Docs: Hybrid Cloud Trust Deployment (Windows Hello for Business) - Windows security | Microsoft Docs

Activate Windows Hello for Business

To enable Windows Hello for Business, you can either do it tenant-wide or just for a group with a policy.

Activation tenant-wide

You can activate tenant-wide under "Devices > Windows > Windows enrollment". If you choose this option, all devices will ask for the Windows Hello configuration during enrollment.

Activation with a policy

To activate only a certain circle, you can go to "Devices> Windows> Configuration profiles" create a new "Identity Protection" profile.

In the settings it is important that "Use a Trusted Platform Module (TPM)" is active.

Create Cloud Trust Policy

To configure the Cloud Trust Policy, we create a "Custom Profile" with an OMA Uri. This OMA Uri shows the end device the way to the right tenant for authentication.

You create the policy under "Devices > Windows > Configuration profiles +Create profile".

Here you add an entry and enter the OMA-URI below. Don't forget, you must in the OMA-URI"YourTenantID" with your Tenant ID. (You can find the ID here)

Summary

Thanks to Windows Hello for Business Cloud Trust, it's much easier to get a Kerberos authentication trusted by Windows Hello from a cloud-only device (Azure AD joined).
For me, there are few to no reasons to use hybrid joined devices. - All thanks to this great feature!