Windows 10: Windows Hello for Business and Kerberos Trust

We're having an issue with setting up WHfB in our hybrid environment. DC is server 2016 and devices are Entra Hybrid Joined, although I've tested with an Entra joined only laptop and it's the same. The Kerberos Trust Server has been successfully set up on the DC the only one in the estate. The relevant WHfB settings have been applied to a test user group. The user can successfully set up WHfB on their device and cached tickets can be seen when running klist. The cached tickets are removed when the user locks the device or signs out, as expected, however they are never generated again after

:)

 

Migrating from Windows Hello for Business Certificate Trust to Cloud Kerberos Trust, what about the decommissioning of the AD FS?

Hello,

Today we have deployed Windows Hello for Business to all our end user Windows 10 devices based on the "Certificate Trust" deployment. We have now prepared, configured and tested with success the "Cloud Kerberos trust" deployment.

We have understood that during the migration from the on-premise deployment to the hybrid deployment, we have to force users to re-enroll them with Windows Hello for Business. Please correct me if I am wrong.

Now we are wondering, what would be the impact if we decommission the AD FS before having redeployed all our users to the hybrid scenario "Cloud Kerberos Trust"?

• For users not migration to the hybrid deployment, will WHFB still work without AD FS?
  
• What will happen if the certificate delivered by the internal certificate authority get expired? Will the certificate still be renewed by the PKI, without going through the AD FS? Or will the user get stuck, with a none working PIN?
  

Thanks.

 

Migrating from Windows Hello for Business Certificate Trust to Cloud Kerberos Trust, what about the decommissioning of the AD FS?

Hi,

Thanks do the quick answer.

I have raised the same question on the "sister" forum.

I am adding the link to it, for follow-up:

Migrating from Windows Hello for Business Certificate Trust to Cloud Kerberos Trust, what about the decommissioning of the AD FS? - Microsoft Q&A

Thanks.

 

What are the requirements to use Windows Hello for Business with Azure Files?

Hello everyone,

We want to move all our data and infrastructure from on-prem to Azure Files, but I need to make sure that Windows Hello for Business works flawlessly with Azure Files. I can't find ressources about the integration between these two technologies and the requirements.

So, here are my questions:

If I use AADDS (Azure Active Directory Domain Services) with Azure Files, will it work automatically with WHFB?

If not, then what are the requirements? It looks like I still need ADDS (Active Directory Domain Services) and could use "Cloud Trust" or AAD Kerberos. AAD Kerberos seems to be very promising but one of the requirements is Windows 11 "Enterprise". So, my other question is: Does AAD Kerberos works with Windows 11 Business?

Thank you very much for the help!