Hybrid Azure AD Join and the Cloud Kerberos authentication configuration for Windows hello For Business?

EnterpriseArchitect 6,061 Reputation points
2023-10-18T06:28:23.1233333+00:00

Folks,

Can someone please confirm if the computer that is already Azure AD Joined or Hybrid Azure AD joined must be using the Cloud Kerberos to allow the Windows Hello for Business feature like below?

User's image

Because I have done the GPO and applied it successfully to all of my HAADJ enabled computers using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=gpo#configure-windows-hello-for-business-policy

Do I have to follow additional steps:

  1. Enabling the cloud Kerberos trust authentication by following the steps described in: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
  2. Configure the cloud Kerberos trust policy using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-the-cloud-kerberos-trust-policy

or just this one simple procedure: https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello

Any help would be greatly appreciated.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2023-10-23T10:05:49.37+00:00

    @EnterpriseArchitect

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on WHFB in hybrid environment.

    Please do correct me if this is not the case by responding in the comments section.

    Enabling the cloud Kerberos trust authentication by following the steps described in: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module

    • The above docs assist on how to enable passwordless authentication to on-premises resources for environments with both Microsoft Entra joined and Microsoft Entra hybrid joined Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with Windows Hello for Business Cloud trust

    Configure the cloud Kerberos trust policy using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-the-cloud-kerberos-trust-policy

    This is to be used when you want to deploy cloud kerberos trust. However if you deploy https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello, then then would deploy with regular key trust model.

    • Windows Hello for Business cloud Kerberos trust uses Microsoft Entra Kerberos, which enables a simpler deployment when compared to the key trust model.
    • Key trust and certificate trust use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
    • Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs.
      With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.