Windows 10: Cloud Kerberos trust for hybrid domain join machines &WHFB

Hi All,I want to deploy Windows hello for business for Hybrid domain joined devices with cloud Kerberos trust. Most of the articles and online videos are discussing WHFB is for AAD joined devices not for Hybrid join devices.Is there any guide to implement Cloud Kerberos trust for Hybrid domain joined devices or is it similar for AAD domain joined devices?Do we require Cloud Kerberos trust for Hybrid domain joined devices?If no is it just the Intune configuration to for the users without " Use cloud trust for on-prem auth" configuration?

:)

 

Migrating from Windows Hello for Business Certificate Trust to Cloud Kerberos Trust, what about the decommissioning of the AD FS?

Hello,

Today we have deployed Windows Hello for Business to all our end user Windows 10 devices based on the "Certificate Trust" deployment. We have now prepared, configured and tested with success the "Cloud Kerberos trust" deployment.

We have understood that during the migration from the on-premise deployment to the hybrid deployment, we have to force users to re-enroll them with Windows Hello for Business. Please correct me if I am wrong.

Now we are wondering, what would be the impact if we decommission the AD FS before having redeployed all our users to the hybrid scenario "Cloud Kerberos Trust"?

• For users not migration to the hybrid deployment, will WHFB still work without AD FS?
  
• What will happen if the certificate delivered by the internal certificate authority get expired? Will the certificate still be renewed by the PKI, without going through the AD FS? Or will the user get stuck, with a none working PIN?
  

Thanks.

 

WHFB Cloud Trust - Dual Enrollment not supported - Any other solution ?

Hello,

We are using WHFB Certificate Trust for few years now and we are going to migrate to WHFB Cloud Trust.

• When the user is correctly registered on the device, we disable the use of the password for all users ( including local account) on the computer for security reason so the only way to access the session is with the WHFB authentification define by the user.
  
• For specific user that need elevated privilege on the computer we ask them to register their admin account with Dual Enrollment that was supported with WHFB Certificate Trust : Dual Enrollment - Windows Security | Microsoft Lear
  
  --> So from the user standard session, it was possible to select the WHFB smart card of the admin account to do elevated action and everything was fine for everyone ! No need to switch to admin session.
  

I am now testing WHFB Cloud Trust and this not possible anymore. After ready MS link above, I see that Dual Enrollment was only supported with Certifcate trust.

From your experience on WHFB Cloud trust and considering that security team will not allow us to reactive the use of password on the device , do you know any other solution to be able to do elevated privilege action on the device from a standard session and without switching to the admin session ?

Usecase : validate a prompt that ask for admin privilege on the user session

Thanks for your help !

 

Do I need Azure premium for cloud hybrid trust / key hybrid trust or not?

Hello,

we'd like to setup Windows Hello for Business to get MFA for Windows logon. We have fully on premise environment and tight budget - can't afford Azure Premium subsriptions for our users.

My question is: on MS sites, it is said you need Azure Premium for certificate trust. What about kerberos cloud hybrid trust and key hybrid trust. Can we go without subscriptions?

I have already tried to set it up, successfully setup pin, but constantly getting errors when try to login with the pin:

- 0xc000005e PIN code is not available and this function is not supported in your organization

- this option is not available at the moment

etc.

Is that because we are missing subscriptions?

PS when setting up the pin on one PC I got a funny error - rolling circle in the foreground and textbox for setting the pin hidden in the background