Hello @testuser7,
Thank you for posting your query on Microsoft Q&A.
For a pure Microsoft Entra-joined Windows device, to enable Hybrid-User authentication with Windows Hello for Business credentials and obtain a Partial-TGT from Entra ID, you need to deploy the "Cloud Kerberos Trust policy" from Intune.
The Cloud Kerberos trust model simplifies the deployment process by allowing users to authenticate directly with Microsoft Entra ID, which then issues a Partial TGT. This model eliminates the need for PKI requirements and Azure AD Connect synchronization for writing back public keys to Active Directory.
There are different ways to enable and configure Windows Hello for Business in Intune:
- Using a policy applied at the tenant level. The tenant policy:
- Is only applied at enrollment time, and any changes to its configuration doesn't apply to devices already enrolled in Intune
- It applies to all devices getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
- A device configuration policy that is applied after device enrollment. Any changes to the policy are applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
For more detailed information, please refer to the below attached documents.
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks and Regards,
Sanoop Mohan