One of the big misconceptions is Windows Hello for Business (WH4B) is super complicated and impossible. A game changer for WH4B is Cloud Kerberos Trust, which simplifies Windows Hello for Business and eliminates complexity. Today, we’ll discuss:

• Windows Hello for Business Architecture with Cloud Kerberos Trust
• Enabling the Entra ID Kerberos Server
• Configuring Entra ID Connect authentication methods
• Creating the Policies in Intune for Cloud Kerberos Trust

Windows Hello for Business Architecture with Cloud Kerberos Trust

The WH4B architecture for Cloud Kerberos Trust uses many concepts that are familiar to engineers. Let’s cover the steps after checking out the architecture:

1. The user will authenticate to Azure/Entra ID.
2. Entra ID checks for a Kerberos server key matching user’s AD domain and generates a partial TGT for AD with only the user SID.
3. The TGT is accompanied by the user’s primary refresh token (PRT).
4. The device talks to the on-prem domain to get a full TGT. Protocol-wise it works just like talking to a RODC (Read-Only Domain Controller).
5. Client now has a full TGT and PRT and everything is awesome!

A more detailed path of the authentication flow end-to-end can be seen below:

Now, that we know how things work, we can cover how to set things up. Let’s start with generating the Kerberos object.

Creating the Entra Kerberos Server for Kerberos Cloud Trust

The process of creating the object is really simple. Let’s look at the code:

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter a UPN of an Azure Active Directory global administrator
$userPrincipalName = "[email protected]"
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Azure AD.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName

The code is very simple, which will create a nice little object in your domain controllers in AD:

Now, let’s move onto configuring Entra ID Connect for Cloud Kerberos Trust.

Configuring Entra ID Connect for Cloud Kerberos Trust

The main requirement for Cloud Kerberos Trust is one of three authentication types:

1. Password Hash Sync (PHS)
2. Passthrough Authentication
3. 3rd party IDP or ADFS

We will cover how to configure the first 2 options. Passthrough Authentication and Password Hash Synchronization is easy. We select “Change user sign-in”:

We select “Password Hash Synchronization” or “Pass-through authentication”

Enter your domain admin credentials and click “Next” followed by “Configure” to set things up.

It’s important to note that you want to make sure Hybrid Entra is enabled, but if it isn’t make sure you go into “Device Options” and set it up.

Setup Microsoft Intune Policies for Cloud Kerberos Trust

My video demo below will show you how to build it. Simply, you need three specific settings to make it work:

• Use Passport For Work
• Use Cloud Trust For On Prem Auth
• Require Security Device

If you decide to do it via GPO, you can do this below:

Just like that, once your profile hits, you will be able to register and sign in with Windows Hello for Business.

Final Thoughts

The setup for Cloud Kerberos Trust is pretty easy. It’s a major improvement over previous implementations like Certificate/Key Trust. Within just a few steps, we set up an amazing user experience. Moving to a password-less experience with Windows 11 devices is a win for users and administrators alike.

With passkeys rapidly entering the enterprise, which are so much more secure it’s time to extend our capabilities and leverage passkeys more. Windows Hello is a great gateway to passkeys, which is a win for everyone.