Forum Discussion
Enable Windows Hello in Hybrid Environment
dilanmic First, yes, you should move forward with Windows Hello for Business if you can because it is a Phishing Resistant method of Authentication for all Windows Computers. Microsoft now recommends Cloud Kerberos Trust instead of Certificate Trust for most scenarios. The only caveat is that if you can move your computers to Entra Joined (requires a full device wipe) then you can use the Key Trust Method. When machines are hybrid joined, you cannot use Intune exclusively to manage Windows Hello for Business - you must first configure Cert Trust, or the preferred Cloud Kerberos Trust first.
The WHfB setup with Cloud Kerberos Trust requires running a script on a writable domain controller (not an RODC) to configure the necessary trust settings and objects in Active Directory. This is a one-time operation that does not need to be performed on each domain controller.
After the initial setup, when a user tries to authenticate using WHfB, the authentication request needs to be processed by a domain controller that can handle Cloud Kerberos Trust requests. RODCs, by design, do not hold writable copies of the domain database and typically refer authentication requests back to writable domain controllers.
Therefore, in a site with only RODCs, while the initial configuration for WHfB using Cloud Kerberos Trust can be set up elsewhere (on a writable domain controller), the actual authentication process might face challenges because RODCs do not process certain types of authentication requests like those needed for WHfB. Users in such sites would need to be able to reach a writable domain controller to complete their WHfB authentication successfully.
So in that scenario, you either need to re-think your RODC model, or deploy WH4B with Cert Trust, or move your computers to Entra joined (requires a full device wipe), for example, through attrition you can provide new computers that are entra joined to users.
Cloud Kerberos Trust Considerations
- Read-Only Domain Controller (RODC) Support: Cloud Kerberos Trust does not support authentication against RODCs directly. If you have environments where RODCs are used, especially in remote or branch office scenarios, this limitation needs to be considered.
- Network Requirements: Ensure reliable connectivity to Azure AD for authentication processes, as Cloud Kerberos Trust relies on Azure services for the Kerberos ticket issuance.
- Domain and Forest Functional Level: Verify that the domain and forest functional levels meet the minimum requirements for Windows Hello for Business with Cloud Kerberos Trust. Since Windows Server 2012 / R2 is no longer supported as of October 2023, you should make sure your domain controllers are running a supported version of Windows.
Certificate Trust
- Pros:
- Broad Compatibility: Works well in environments with complex networking and on-premises resources.
- Mature Technology: Being around for a while, it’s well understood and documented.
- RODC Support: Compatible with RODC, making it suitable for various deployment scenarios.
- Cons:
- Complexity: Requires a Public Key Infrastructure (PKI) setup, which can be complex to manage.
- Maintenance Overhead: PKI necessitates ongoing maintenance, including certificate issuance, renewal, and revocation.
Migrating to Entra (Azure AD) Joined and deploying WH4B with Key Trust via Intune
- Pros:
- Modern Management: Facilitates modern management and security practices, aligning with cloud-first strategies.
- Seamless User Experience: Offers a seamless sign-in experience for users with single sign-on (SSO) across cloud services. Many people do not know that your Entra Joined devices can also access on-premises AD resources like file shares. To learn more about that view the documentation here: https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources
- Reduced On-Premises Dependency: Minimizes the dependency on on-premises infrastructure, reducing maintenance and operational costs.
- Cons:
- Migration Effort: Requires effort and planning to migrate from hybrid to fully cloud environments.
- Compatibility Issues: May encounter compatibility issues with legacy applications and infrastructure.
- Network Dependency: Increased dependency on internet connectivity for authentication and access control.
dilanmic First, yes, you should move forward with Windows Hello for Business if you can because it is a Phishing Resistant method of Authentication for all Windows Computers. Microsoft now recommends Cloud Kerberos Trust instead of Certificate Trust for most scenarios. The only caveat is that if you can move your computers to Entra Joined (requires a full device wipe) then you can use the Key Trust Method. When machines are hybrid joined, you cannot use Intune exclusively to manage Windows Hello for Business - you must first configure Cert Trust, or the preferred Cloud Kerberos Trust first.
The WHfB setup with Cloud Kerberos Trust requires running a script on a writable domain controller (not an RODC) to configure the necessary trust settings and objects in Active Directory. This is a one-time operation that does not need to be performed on each domain controller.
After the initial setup, when a user tries to authenticate using WHfB, the authentication request needs to be processed by a domain controller that can handle Cloud Kerberos Trust requests. RODCs, by design, do not hold writable copies of the domain database and typically refer authentication requests back to writable domain controllers.
Therefore, in a site with only RODCs, while the initial configuration for WHfB using Cloud Kerberos Trust can be set up elsewhere (on a writable domain controller), the actual authentication process might face challenges because RODCs do not process certain types of authentication requests like those needed for WHfB. Users in such sites would need to be able to reach a writable domain controller to complete their WHfB authentication successfully.
So in that scenario, you either need to re-think your RODC model, or deploy WH4B with Cert Trust, or move your computers to Entra joined (requires a full device wipe), for example, through attrition you can provide new computers that are entra joined to users.
Cloud Kerberos Trust Considerations
- Read-Only Domain Controller (RODC) Support: Cloud Kerberos Trust does not support authentication against RODCs directly. If you have environments where RODCs are used, especially in remote or branch office scenarios, this limitation needs to be considered.
- Network Requirements: Ensure reliable connectivity to Azure AD for authentication processes, as Cloud Kerberos Trust relies on Azure services for the Kerberos ticket issuance.
- Domain and Forest Functional Level: Verify that the domain and forest functional levels meet the minimum requirements for Windows Hello for Business with Cloud Kerberos Trust. Since Windows Server 2012 / R2 is no longer supported as of October 2023, you should make sure your domain controllers are running a supported version of Windows.
Certificate Trust
- Pros:
- Broad Compatibility: Works well in environments with complex networking and on-premises resources.
- Mature Technology: Being around for a while, it’s well understood and documented.
- RODC Support: Compatible with RODC, making it suitable for various deployment scenarios.
- Cons:
- Complexity: Requires a Public Key Infrastructure (PKI) setup, which can be complex to manage.
- Maintenance Overhead: PKI necessitates ongoing maintenance, including certificate issuance, renewal, and revocation.
Migrating to Entra (Azure AD) Joined and deploying WH4B with Key Trust via Intune
- Pros:
- Modern Management: Facilitates modern management and security practices, aligning with cloud-first strategies.
- Seamless User Experience: Offers a seamless sign-in experience for users with single sign-on (SSO) across cloud services. Many people do not know that your Entra Joined devices can also access on-premises AD resources like file shares. To learn more about that view the documentation here: https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources
- Reduced On-Premises Dependency: Minimizes the dependency on on-premises infrastructure, reducing maintenance and operational costs.
- Cons:
- Migration Effort: Requires effort and planning to migrate from hybrid to fully cloud environments.
- Compatibility Issues: May encounter compatibility issues with legacy applications and infrastructure.
- Network Dependency: Increased dependency on internet connectivity for authentication and access control.
Thank You very much for the in details explanation. if there is any concerns I'll post it here. at the moment we are considering Pros and Cons for Implementing Windows Hello with Cloud Kerberos Trust where we have DCs only. May be in the initial stage we may avoid locations where we have RODCs.
Just a quick one, if we go fully Azure AD standalone few years down the line, Do we need to go through a migration process or does it work without any migration?
- there is no migration of WH4B. What will happen is when a user gets a new computer that is Entra ID Joined (aka Azure AD Joined) then they will enroll into WH4B Key Trust and will re-register their PIN and/or Biometrics. Those users can co-exist alongside the other users who are still using WH4B Cloud Kerberos trust, you can have both methods active at the same time.
Hi Joe, Can you tell me, when we setup Windows hello, do we need to register Windows hello via VPN for the first time.
Because I am getting below error when I try to login in with PIN, without VPN.
"Something went wrong and your PIN isn't available (status: 0x000005e, substatus: 0x0)). Click to set up your PIN again."Please note we are using Kerberos Authentication certificate in Domain Controller. Not the Cloud Kerberos.
thanks in advance,
Dilan- I have same question. Does the PC need light of sight to a domain controller? During PIN enrollment and utilization? Is it possible to use a KDC Proxy?
- Thanks!
