Windows Hello for Business Hybrid with certificate, but without ADFS ???

_KUL 286 Reputation points
2020-12-03T08:27:08.003+00:00

Hello!
There is a working model of Windows Hello for Business Hybrid keys, everything works fine! Kerberos via on-premises AD, PRT via Azure AD. But I really want pin-code authorization (SSO) and with RDP to work. Now everything is implemented through the beautiful Azure AD Connector. The main task is to provide WHfB users in the local network, i.e. Hybrid computers.
Question: How do I make the Windows Hello for Business infrastructure correctly without adding extra services (without ADFS)? Who in the local environment should issue clients the certificate (the CA itself)?) and how to configure it correctly?

There is an example of configuring a hybrid environment using ADFS certificates, but the presence of ADFS does not suit: hello-hybrid-cert-whfb-settings-pki
It looks like you need an Azure AD joined scheme based on certificates, but Intune and NDES are used here, and Intune is not available for hybrid computers, and NDES seems redundant hello-hybrid-aadj-sso-cert

44390-model.png

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,262 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,788 questions
{count} votes

Accepted answer
  1. _KUL 286 Reputation points
    2021-02-16T06:26:29.237+00:00

    The question can probably be considered closed
    Windows Hello (Hybrid) + Key + RDP = Windows Defender Remote Credential Guard

    This information is modestly mentioned in the article when planning Windows Hello
    hello-planning-guide

    Need it on every page Windows Hello (Hybrid) Key Trust remind about Windows Defender Remote Credential Guard :)
    remote-credential-guard

    Many thanks to @Pierre Audonnet - MSFT for his note about assigning rights - You just need regular RDP permissions (or example by being a member of the Remote Desktop Users local group of the target)

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2020-12-03T23:58:28.117+00:00

    you can deploy Hybrid certificate trust without ADFS. But you need Intune and NDES as far as I know.

    ADFS act as a Registration authority (RA) and NDES covers that.. however to get you enrolled into WHFB container. you need Intune SCEP connector

    Which is defined in setup 11 on below doc
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert

    --> 11. Select Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later) from the Key storage provider (KSP) list.

    I don't know if any other way to skip that part without Intune.

    1 person found this answer helpful.

  2. Sean Kenny 1 Reputation point
    2022-01-20T06:43:49.11+00:00

    So I fought this for the past three years, and 6 months ago or so I found the answer. I don't know why Microsoft feels the need to bury this stuff when its completely unnecessary. Key trust creates a simple key pair, but that private key in TPM(hw) or software can sign CSR's, which is how cert trust is really just an enlightened state of key trust. The problem is for most folks its a pretty ridiculous burden to add all this extra stuff, nevermind how active they are discouraging federation. Anyways your solution template can be found by looking at the code here (https://www.powershellgallery.com/packages/Generate-CertificateRequest/1.0) I have used it to essentially enlighten a .req with the appropriate template (the only reason you cant request certificate with same key in gui mmc is because it has no template on it) and pull directly from CEP/ADCS. Works on a pure AAD device too :). There is the smallest little snippet in the docs that lead me to this, they publish it under the guise of if you have a 3rd party CA, but its just goofy. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs#using-non-microsoft-enterprise-certificate-authorities


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.