Hybrid Azure AD Join and the Cloud Kerberos authentication configuration for Windows hello For Business?

Question

Folks,

Can someone please confirm if the computer that is already Azure AD Joined or Hybrid Azure AD joined must be using the Cloud Kerberos to allow the Windows Hello for Business feature like below?

Because I have done the GPO and applied it successfully to all of my HAADJ enabled computers using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=gpo#configure-windows-hello-for-business-policy

Do I have to follow additional steps:

1. Enabling the cloud Kerberos trust authentication by following the steps described in: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
2. Configure the cloud Kerberos trust policy using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-the-cloud-kerberos-trust-policy

or just this one simple procedure: https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello

Any help would be greatly appreciated.

Answer 1

@EnterpriseArchitect

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on WHFB in hybrid environment.

Please do correct me if this is not the case by responding in the comments section.

Enabling the cloud Kerberos trust authentication by following the steps described in: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module

• The above docs assist on how to enable passwordless authentication to on-premises resources for environments with both Microsoft Entra joined and Microsoft Entra hybrid joined Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with Windows Hello for Business Cloud trust

Configure the cloud Kerberos trust policy using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-the-cloud-kerberos-trust-policy

This is to be used when you want to deploy cloud kerberos trust. However if you deploy https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello, then then would deploy with regular key trust model.

• Windows Hello for Business cloud Kerberos trust uses Microsoft Entra Kerberos, which enables a simpler deployment when compared to the key trust model.
• Key trust and certificate trust use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
• Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs.
  With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.