Cloud Trust with Azure ADJoinedDevices

Jan Hansen 26 Reputation points
2022-09-13T10:45:41.443+00:00

Hello

I'm trying to setup cloud trust for WHFB. The login with face or finger works fine, the only thing not working is the authentication to on prem-resources.

When i login with Whfb and try to start an application really any (Exporer, Browser, Windows Settings) following Pop-Up appears.

240508-image.png

When using Username and password I'm able to view the resources, fingerprint and face are not accepted.

When trying to view or get my krbgt ticket I get following error:

240572-image.png
So from my understanding cloud trust doesn't send the credentials to verify to on prem AD am i correct?

Here is some Additional Info that might help:

240535-image.png

I Cant find any useful articles, so I'm hoping to get some help here.

I followed MS instruction from here: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust

Server and Clients fulfill the Requirements

Oma-Uri is correct

Thanks in Advance

Regards

Jan

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,407 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2022-09-14T08:06:58.333+00:00

    @Jan Hansen Thank you for reaching out to us. To start troubleshooting this issue, would like to start from
    dsregcmd /status and check whether any issues about the device join state.

    Prerequisites:

    1. Have you signed in with a hybrid user ?
    2. Do you have PRT on the device ? Also any AADJ errors ?
    3. Version of Windows 10 client ( Windows Client version is >= 20H1 (2004). )

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust#:~:text=Hello%20for%20Business.-,Prerequisites,-Requirement

    Share the dsregcmd /status output from the device to investigate further.

    Reference: https://www.youtube.com/watch?v=q0Y4g0dcOY4 - Configuring Hybrid Cloud Trust.


  2. Limitless Technology 44,221 Reputation points
    2022-09-19T07:51:37.513+00:00

    Hi HansenJen-7889,

    Thank you for posting your query.

    Try the methods below to disable Windows Hello for Business enrollment without Intune.

    Sign into the Microsoft Endpoint Manager admin center.

    Go to Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business. The Windows Hello for Business pane opens.

    If you don't want to enable Windows Hello for Business during device enrollment, select Disabled for Configure Windows Hello for Business.

    When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.

    Go to this link for your reference https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy

    ---------------------------------------------------------------------------------------------------

    If the answer is helpful kindly click "Accept as Answer" and upvote it. Thanks.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.