Windows 10: WHFB Cloud Trust - Dual Enrollment not supported - Any other solution ?

Hello,We are using WHFB Certificate Trust for few years now and we are going to migrate to WHFB Cloud Trust.When the user is correctly registered on the device, we disable the use of the password for all users including local account on the computer for security reason so the only way to access the session is with the WHFB authentification define by the user.For specific user that need elevated privilege on the computer we ask them to register their admin account with Dual Enrollment that was supported with WHFB Certificate Trust : Dual Enrollment - Windows Security Microsoft Lear -->

:)

 

Migrating from Windows Hello for Business Certificate Trust to Cloud Kerberos Trust, what about the decommissioning of the AD FS?

Hello,

Today we have deployed Windows Hello for Business to all our end user Windows 10 devices based on the "Certificate Trust" deployment. We have now prepared, configured and tested with success the "Cloud Kerberos trust" deployment.

We have understood that during the migration from the on-premise deployment to the hybrid deployment, we have to force users to re-enroll them with Windows Hello for Business. Please correct me if I am wrong.

Now we are wondering, what would be the impact if we decommission the AD FS before having redeployed all our users to the hybrid scenario "Cloud Kerberos Trust"?

• For users not migration to the hybrid deployment, will WHFB still work without AD FS?
  
• What will happen if the certificate delivered by the internal certificate authority get expired? Will the certificate still be renewed by the PKI, without going through the AD FS? Or will the user get stuck, with a none working PIN?
  

Thanks.

 

Missing WHFB pin sign-in option while login Windows

Windows device enrolled into Intune successfully by autopilot, and it prompt to configure Windows hello for business after provision.

The WHFB has configure successfully but after restart the device, I do not have the option to login with WHFB, only username and password available.

In Intune, I have enabled WHFB in Devices>Windows Enrollment>Windows Hello for Business, and also configured identity protection configuration profile to enabled windows hello for Business.

On target device, Settings>Sign-in options, there is no error shows in this page.

May I ask if there are any steps we are missing? Or if there is anything else we need to check?

 

Deploy Windows Hello for Business Cloud Trust using Intune

Hi,

I am deploying WHfB Cloud Trust in Hybrid Azure AD. I followed the Microsoft Documentation: Windows Hello for Business cloud Kerbeity

First I tried using GPO and it works well. I can see the event 358 saying WHfB cloud trust is enabled and the computer got the TGT ticket. Everything works fine.

But then I removed the GPO and tried using Intune. The users are prompted to create the PIN and they are able to log in but it fails randomly. I checked the event viewer and now in the event 358 it says that Cloud Trust is not enabled and the TGT ticket is "not tested"

Both the configuration profiles in Intune (enablement with OMA uri and PIN Reqs) are applied, the state is "Succeded" for the computers. Why is Cloud Trust not enabled? I guess everything is ok in AD and the computer as when I enable the GPO it works fine and I can see how the secret is stored and read in Azure AD. Thanks

Regards.