WHfB with cert-trust-model

%3CLINGO-SUB%20id%3D%22lingo-sub-2565501%22%20slang%3D%22en-US%22%3EWHfB%20with%20cert-trust-model%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2565501%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%20!!!%26nbsp%3B%20Hope%20you%20had%20a%20good%20start%20of%20the%20day.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20actually%20setting%20up%26nbsp%3B%20%3CSTRONG%3E%E2%80%9CWHfB%20with%20cert-trust-model%E2%80%9D%26nbsp%3B%20%3C%2FSTRONG%3Eand%20%26nbsp%3Bhave%20one%20quick%20and%20binary%20question.%20Appreciate%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%3CSTRONG%3E%20%22device%20writeback%22%3C%2FSTRONG%3E%20mandatory%20for%20JUST%20%22Windows-Hello%20Cert-Trust-Model%22%20%3F%3C%2FP%3E%3CP%3EI%20am%20%3CSTRONG%3ENOT%3C%2FSTRONG%3E%20interested%20in%20obtaining%20%3CSTRONG%3Eenterprise-PRT%3C%2FSTRONG%3E%20through%20ADFS.%3C%2FP%3E%3CP%3EMine%20is%20a%20simple%20use-case%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-how-it-works-authentication%23hybrid-azure-ad-join-authentication-using-a-certificate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHybrid%20Azure%20AD%20join%20authentication%20using%20a%20Certificate%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMS%20has%20done%20a%20good%20job%20depicting%20the%20flow%20below%20but%20if%20you%20focus%20on%20the%20bottom%20part%20of%20the%20flow%20where%20%E2%80%9Ccertificate-creation-request%E2%80%9D%20%26nbsp%3Bis%20sent%20from%20the%20hybrid-device%20to%26nbsp%3B%20%E2%80%9CCertificate-RA%E2%80%9D%2C%26nbsp%3B%20my%20understanding%20is%2C%26nbsp%3B%20that%20request%26nbsp%3B%20%3CSTRONG%3ENEED%20NOT%3C%2FSTRONG%3E%20have%20to%20be%20signed%20by%20the%20device-private-key.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOf%20course%26nbsp%3B%20user-key%20or%20at%20least%26nbsp%3B%20user-key-receipt%20%26nbsp%3Bis%20needed%20but%26nbsp%3B%20cert-generation%20is%20NOT%20dependent%20on%20device-writeback.%3C%2FP%3E%3CP%3ELater%20on%2C%20if%20%3CSTRONG%3Eenterprise-PRT%3C%2FSTRONG%3E%20through%20ADFS%20is%20requested%20then%20definitely%20device-writeback%20is%20mandatory%26nbsp%3B%20but%20that%20is%20not%20I%20am%20interested%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20correct%20in%20my%20understanding%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22testuser7_0-1626782948312.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297054i1F58122F72A490C6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22testuser7_0-1626782948312.jpeg%22%20alt%3D%22testuser7_0-1626782948312.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2565501%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Good morning !!!  Hope you had a good start of the day.

 

I am actually setting up  “WHfB with cert-trust-model”  and  have one quick and binary question. Appreciate your help.

 

Is "device writeback" mandatory for JUST "Windows-Hello Cert-Trust-Model" ?

I am NOT interested in obtaining enterprise-PRT through ADFS.

Mine is a simple use-case of Hybrid Azure AD join authentication using a Certificate

 

 

MS has done a good job depicting the flow below but if you focus on the bottom part of the flow where “certificate-creation-request”  is sent from the hybrid-device to  “Certificate-RA”,  my understanding is,  that request  NEED NOT have to be signed by the device-private-key.

 

Of course  user-key or at least  user-key-receipt  is needed but  cert-generation is NOT dependent on device-writeback.

Later on, if enterprise-PRT through ADFS is requested then definitely device-writeback is mandatory  but that is not I am interested in.

 

Am I correct in my understanding ?

 

Thanks.

 

 

testuser7_0-1626782948312.jpeg

 

 

0 Replies