Windows 10: Migrating from Windows Hello for Business Certificate Trust to Cloud Kerberos Trust, what...

Hello,Today we have deployed Windows Hello for Business to all our end user Windows 10 devices based on the "Certificate Trust" deployment. We have now prepared, configured and tested with success the "Cloud Kerberos trust" deployment.We have understood that during the migration from the on-premise deployment to the hybrid deployment, we have to force users to re-enroll them with Windows Hello for Business. Please correct me if I am wrong.Now we are wondering, what would be the impact if we decommission the AD FS before having redeployed all our users to the hybrid scenario "Cloud Kerberos Tru

:)

 

Deploy Windows Hello for Business Cloud Trust using Intune

Hi,

I am deploying WHfB Cloud Trust in Hybrid Azure AD. I followed the Microsoft Documentation: Windows Hello for Business cloud Kerbeity

First I tried using GPO and it works well. I can see the event 358 saying WHfB cloud trust is enabled and the computer got the TGT ticket. Everything works fine.

But then I removed the GPO and tried using Intune. The users are prompted to create the PIN and they are able to log in but it fails randomly. I checked the event viewer and now in the event 358 it says that Cloud Trust is not enabled and the TGT ticket is "not tested"

Both the configuration profiles in Intune (enablement with OMA uri and PIN Reqs) are applied, the state is "Succeded" for the computers. Why is Cloud Trust not enabled? I guess everything is ok in AD and the computer as when I enable the GPO it works fine and I can see how the secret is stored and read in Azure AD. Thanks

Regards.

 

Do I need Azure premium for cloud hybrid trust / key hybrid trust or not?

Hello,

we'd like to setup Windows Hello for Business to get MFA for Windows logon. We have fully on premise environment and tight budget - can't afford Azure Premium subsriptions for our users.

My question is: on MS sites, it is said you need Azure Premium for certificate trust. What about kerberos cloud hybrid trust and key hybrid trust. Can we go without subscriptions?

I have already tried to set it up, successfully setup pin, but constantly getting errors when try to login with the pin:

- 0xc000005e PIN code is not available and this function is not supported in your organization

- this option is not available at the moment

etc.

Is that because we are missing subscriptions?

PS when setting up the pin on one PC I got a funny error - rolling circle in the foreground and textbox for setting the pin hidden in the background

 

N8 certificates not trusted/don't match the name

Well I worked out for myself how to verify the certificates are genuine:

• Using a desktop computer
• Go to the page with the certificates
• Select a certificate
• It will say either:
  • Certificate already exists - this confirms that the certificate on the website matches one already in your browser, which we already trust, therefore the certificate on the website is trustworthy
  • Asks if you want to install the certificate, DON'T.
    • First view the certificate details.
    • Copy the certificate serial number or SHA1/SHA256/MD5/etc hash
    • Paste this into a search engine
    • If another website that you trust lists the certificate, e.g. your phone manufacturer or another trusted website (preferably a secure website, therefore you have confidence the website is genuine), then you can trust the certificate
    • If no trustworthy sites are returned in the search then try another hash or serial number
    • If you can't find any trustworthy sites listing the certificate then I suggest you don't trust it.
• Finally, if you decide you trust a certificate then you can download and install on your phone.