Introduction

If you’re here, you’ve probably tested the Entra-Joined model of Autopilot deployment and realized that you get asked for credentials every time you try to access on-prem ressoruces. In this post, we will walk you through the steps to configure Windows Hello for Business (WHfB) with Cloud Kerberos Trust. This setup allows Microsoft Entra-joined devices to access on-premises resources without the need to enter their credentials repeatedly.

Prerequisites

Before starting, ensure you have the following:

  • Microsoft Entra ID (formerly Azure AD)
  • Intune licenses
  • Windows 10 or Windows 11 devices
  • Active Directory (AD) environment with adequate read-write domain controllers
  • Domain Admin and Global Admin credentials to complete the configuration
  • Rights to create Configuration Profiles in Intune

Windows Hello Cloud Kerberos Trust – Limitations

Nothing’s perfect. Here are the limitations of the cloud kerberos trust model:

  • Not supported for on-prem RemoteApps, RDP and VDIs.
    • Users will still be prompted for credentials before they can access their apps

Step-by-Step Instructions

1. Configure Cloud Kerberos Trust between the on-prem Active Directory and your Entra ID tenant

  1. Open PowerShell on your computer using run as other user, and enter your domain admin credentials for the domain you where you’ll create the trust.
  2. Run the following short script, which will install the required modules, prompt for the global admin account to use using modern authentication, and will then create the trust.
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

#Ask for the Global Admin account
$svcGA = Read-Host -Prompt "Enter the e-mail address of the Global Admin account to use"
# Install the AzureADHybridAuthenticationManagement PowerShell module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

# Specify the on-premises Active Directory domain. A new Microsoft Entra ID
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN

# Enter a UPN of a Global Administrator
$userPrincipalName = $svcGA

# Create the new Microsoft Entra ID Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Microsoft Entra ID.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName
Windows Hello Cloud Kerberos Trust

2. Configure Windows Hello for Business Policy Settings

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > Windows > Configuration Create > New Policy.
  3. Select platform Windows 10 and Later and profile type Settings Catalog, click Create
  4. Name your profile according to your naming convention and provide a description
  5. Click Add Settings, search for “Hello” and click on Windows Hello for Business.
  6. Select and configure the following settings. Be careful, don’t select the ones with (User) at the end:
Windows Hello Cloud Kerberos Trust
  1. These settings are the most common and recommended values. You may edit or add values to fit your business needs, but Use Cloud Trust for On Prem Auth is required.
  2. Other recommended settings not listed here if they apply to your environment:
    • Require Security Device (TPM)
    • Restrict use of TPM 1.2
  3. Click next, assign any required scope tags and assign the policy to any required groups and click Create.

3. Enroll Users in Windows Hello for Business

Once your devices have received the policy, users will be asked to enroll in Windows Hello after they sing in, but before they reach the desktop.

Once the enrollment is complete, try to access any on-prem network share that the user account has read permissions on.

  1. Open file explorer
  2. In the address bar, enter \\servername.domain.fqdn\sharename
  3. The share should open without asking for credentials.

Troubleshooting Tips

  • Windows Hello enrollment page doesn’t show, instead you see a white page and the device gets stuck there
    • This is due to access control software such as CyberArk EPM blocking the DLLs required by Hello onboarding and the modern login screen. Blocked libraries will be listed in EPM logs.
  • Check in the domain controllers OU of your active directory: Ensure you have the cloud kerberos trust object among your domain controllers. The object will be called AzureADKerberos
  • Review policy settings: Double-check that all required policies are correctly configured.
  • Test with pilot users: Start with a small group of users to identify and resolve any issues before a wider rollout.

Conclusion

By following these steps, you can configure Windows Hello for Business with Cloud Kerberos Trust, providing a seamless and secure authentication experience for your users. This setup not only enhances security but also improves user productivity by eliminating the need for repeated credential entry.


Feel free to ask if you need any more details or further assistance. We’re here to help!

Comments (0)