Windows Hello for Business: Internet Requirement for On-Premises Login Using Cloud Kerberos Trust

Hello everyone,

I've recently begun testing Windows Hello for Business in our environment, where we utilise Microsoft Entra hybrid join authentication with cloud Kerberos trust. I suspect that our on-premises physical firewall may be contributing to several issues we're experiencing, and I would like to clarify my understanding of hybrid join authentication using cloud Kerberos trust.

To access the internet, we use SSO with our firewall, meaning that after validating local AD credentials, the user gains access to the public network. My question is: Is internet access required for on-premises logins when using Windows Hello for Business?

From my research on Microsoft's documentation, it appears that if you're using cloud Kerberos trust and the PC is blocked from the internet, the Windows Hello for Business sign-in will fail. Essentially, the on-premises Domain Controller can only issue the final Ticket Granting Ticket (TGT) after receiving a valid Partial TGT from Microsoft Entra ID. This would imply that if the machine cannot reach Microsoft Entra ID due to firewall restrictions, the user will be unable to log in.

In our case, the user successfully enrolled the device on-premises, but the next morning they encountered the error "PIN isn't available: 0xc000005e 0x0."

Could anyone confirm whether my understanding is correct?

Thank you for your assistance!