Windows 10: Do I need Azure premium for cloud hybrid trust / key hybrid trust or not?

Hello, we'd like to setup Windows Hello for Business to get MFA for Windows logon. We have fully on premise environment and tight budget - can't afford Azure Premium subsriptions for our users. My question is: on MS sites, it is said you need Azure Premium for certificate trust. What about kerberos cloud hybrid trust and key hybrid trust. Can we go without subscriptions? I have already tried to set it up, successfully setup pin, but constantly getting errors when try to login with the pin:- 0xc000005e PIN code is not available and this function is not supported in your organization - this opti

:)

 

Deploy Windows Hello for Business Cloud Trust using Intune

Hi,

I am deploying WHfB Cloud Trust in Hybrid Azure AD. I followed the Microsoft Documentation: Windows Hello for Business cloud Kerberos trust deployment

First I tried using GPO and it works well. I can see the event 358 saying WHfB cloud trust is enabled and the computer got the TGT ticket. Everything works fine.

But then I removed the GPO and tried using Intune. The users are prompted to create the PIN and they are able to log in but it fails randomly. I checked the event viewer and now in the event 358 it says that Cloud Trust is not enabled and the TGT ticket is "not tested"

Both the configuration profiles in Intune (enablement with OMA uri and PIN Reqs) are applied, the state is "Succeded" for the computers. Why is Cloud Trust not enabled? I guess everything is ok in AD and the computer as when I enable the GPO it works fine and I can see how the secret is stored and read in Azure AD. Thanks

Regards.

 

Cloud Trust with Azure ADJoinedDevices

Hello

I'm trying to setup cloud trust for WHFB. The login with face or finger works fine, the only thing not working is the authentication to on prem-resources.

When i login with Whfb and try to start an application really any (Exporer, Browser, Windows Settings) following Pop-Up appears.





When using Username and password I'm able to view the resources, fingerprint and face are not accepted.

When trying to view or get my krbgt ticket I get following error:





So from my understanding cloud trust doesn't send the credentials to verify to on prem AD am i correct?

Here is some Additional Info that might help:









I Cant find any useful articles, so I'm hoping to get some help here.



I followed MS instruction from here: Windows Hello for Business cloud Kerberos trust deployment

Server and Clients fulfill the Requirements

Oma-Uri is correct

Thanks in Advance

Regards

Jan

 

Azure and on-prem (hybrid) and NTP best practices

Hello all

For those of you in an Azure hybrid environment (i.e. on-prem and Azure with DCs in each) did you make any changes to NTP on Azure machines or are you using the out of box configuration when using NTP? I assume people are leaving the default for all machines in Azure and following best practices for on-prem and pointing to the PDC? Can you please advise? What is best practice?