Forum Discussion
Solved
Enable Windows Hello in Hybrid Environment
Hi all,
we are planning to enable Windows hello for our hybrid ad joined devices. I have below questions around it before proceed with it. appreciate anyone's help.
- Does certificate or Cloud Kerberos configurations is a must thing? Can't we enable Windows-Hello from Microsoft Intune like we do for Azure AD standalone devices.
- Do we need to consider anything important if we go forward with Cloud Kerberos configurations (it seems this is the only method we don't need certificate). Because we have around 20+ domain controllers in our environment, including RODCs.
- Can I please have Pros and Cons of enabling Windows Hello for Hybrid environment?
Thanks in advance!
Dilan
dilanmic First, yes, you should move forward with Windows Hello for Business if you can because it is a Phishing Resistant method of Authentication for all Windows Computers. Microsoft now recommends Cloud Kerberos Trust instead of Certificate Trust for most scenarios. The only caveat is that if you can move your computers to Entra Joined (requires a full device wipe) then you can use the Key Trust Method. When machines are hybrid joined, you cannot use Intune exclusively to manage Windows Hello for Business - you must first configure Cert Trust, or the preferred Cloud Kerberos Trust first.
The WHfB setup with Cloud Kerberos Trust requires running a script on a writable domain controller (not an RODC) to configure the necessary trust settings and objects in Active Directory. This is a one-time operation that does not need to be performed on each domain controller.
After the initial setup, when a user tries to authenticate using WHfB, the authentication request needs to be processed by a domain controller that can handle Cloud Kerberos Trust requests. RODCs, by design, do not hold writable copies of the domain database and typically refer authentication requests back to writable domain controllers.
Therefore, in a site with only RODCs, while the initial configuration for WHfB using Cloud Kerberos Trust can be set up elsewhere (on a writable domain controller), the actual authentication process might face challenges because RODCs do not process certain types of authentication requests like those needed for WHfB. Users in such sites would need to be able to reach a writable domain controller to complete their WHfB authentication successfully.
So in that scenario, you either need to re-think your RODC model, or deploy WH4B with Cert Trust, or move your computers to Entra joined (requires a full device wipe), for example, through attrition you can provide new computers that are entra joined to users.
Cloud Kerberos Trust Considerations
- Read-Only Domain Controller (RODC) Support: Cloud Kerberos Trust does not support authentication against RODCs directly. If you have environments where RODCs are used, especially in remote or branch office scenarios, this limitation needs to be considered.
- Network Requirements: Ensure reliable connectivity to Azure AD for authentication processes, as Cloud Kerberos Trust relies on Azure services for the Kerberos ticket issuance.
- Domain and Forest Functional Level: Verify that the domain and forest functional levels meet the minimum requirements for Windows Hello for Business with Cloud Kerberos Trust. Since Windows Server 2012 / R2 is no longer supported as of October 2023, you should make sure your domain controllers are running a supported version of Windows.
Certificate Trust
- Pros:
- Broad Compatibility: Works well in environments with complex networking and on-premises resources.
- Mature Technology: Being around for a while, it’s well understood and documented.
- RODC Support: Compatible with RODC, making it suitable for various deployment scenarios.
- Cons:
- Complexity: Requires a Public Key Infrastructure (PKI) setup, which can be complex to manage.
- Maintenance Overhead: PKI necessitates ongoing maintenance, including certificate issuance, renewal, and revocation.
Migrating to Entra (Azure AD) Joined and deploying WH4B with Key Trust via Intune
- Pros:
- Modern Management: Facilitates modern management and security practices, aligning with cloud-first strategies.
- Seamless User Experience: Offers a seamless sign-in experience for users with single sign-on (SSO) across cloud services. Many people do not know that your Entra Joined devices can also access on-premises AD resources like file shares. To learn more about that view the documentation here: https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources
- Reduced On-Premises Dependency: Minimizes the dependency on on-premises infrastructure, reducing maintenance and operational costs.
- Cons:
- Migration Effort: Requires effort and planning to migrate from hybrid to fully cloud environments.
- Compatibility Issues: May encounter compatibility issues with legacy applications and infrastructure.
- Network Dependency: Increased dependency on internet connectivity for authentication and access control.
dilanmic First, yes, you should move forward with Windows Hello for Business if you can because it is a Phishing Resistant method of Authentication for all Windows Computers. Microsoft now recommends Cloud Kerberos Trust instead of Certificate Trust for most scenarios. The only caveat is that if you can move your computers to Entra Joined (requires a full device wipe) then you can use the Key Trust Method. When machines are hybrid joined, you cannot use Intune exclusively to manage Windows Hello for Business - you must first configure Cert Trust, or the preferred Cloud Kerberos Trust first.
The WHfB setup with Cloud Kerberos Trust requires running a script on a writable domain controller (not an RODC) to configure the necessary trust settings and objects in Active Directory. This is a one-time operation that does not need to be performed on each domain controller.
After the initial setup, when a user tries to authenticate using WHfB, the authentication request needs to be processed by a domain controller that can handle Cloud Kerberos Trust requests. RODCs, by design, do not hold writable copies of the domain database and typically refer authentication requests back to writable domain controllers.
Therefore, in a site with only RODCs, while the initial configuration for WHfB using Cloud Kerberos Trust can be set up elsewhere (on a writable domain controller), the actual authentication process might face challenges because RODCs do not process certain types of authentication requests like those needed for WHfB. Users in such sites would need to be able to reach a writable domain controller to complete their WHfB authentication successfully.
So in that scenario, you either need to re-think your RODC model, or deploy WH4B with Cert Trust, or move your computers to Entra joined (requires a full device wipe), for example, through attrition you can provide new computers that are entra joined to users.
Cloud Kerberos Trust Considerations
- Read-Only Domain Controller (RODC) Support: Cloud Kerberos Trust does not support authentication against RODCs directly. If you have environments where RODCs are used, especially in remote or branch office scenarios, this limitation needs to be considered.
- Network Requirements: Ensure reliable connectivity to Azure AD for authentication processes, as Cloud Kerberos Trust relies on Azure services for the Kerberos ticket issuance.
- Domain and Forest Functional Level: Verify that the domain and forest functional levels meet the minimum requirements for Windows Hello for Business with Cloud Kerberos Trust. Since Windows Server 2012 / R2 is no longer supported as of October 2023, you should make sure your domain controllers are running a supported version of Windows.
Certificate Trust
- Pros:
- Broad Compatibility: Works well in environments with complex networking and on-premises resources.
- Mature Technology: Being around for a while, it’s well understood and documented.
- RODC Support: Compatible with RODC, making it suitable for various deployment scenarios.
- Cons:
- Complexity: Requires a Public Key Infrastructure (PKI) setup, which can be complex to manage.
- Maintenance Overhead: PKI necessitates ongoing maintenance, including certificate issuance, renewal, and revocation.
Migrating to Entra (Azure AD) Joined and deploying WH4B with Key Trust via Intune
- Pros:
- Modern Management: Facilitates modern management and security practices, aligning with cloud-first strategies.
- Seamless User Experience: Offers a seamless sign-in experience for users with single sign-on (SSO) across cloud services. Many people do not know that your Entra Joined devices can also access on-premises AD resources like file shares. To learn more about that view the documentation here: https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources
- Reduced On-Premises Dependency: Minimizes the dependency on on-premises infrastructure, reducing maintenance and operational costs.
- Cons:
- Migration Effort: Requires effort and planning to migrate from hybrid to fully cloud environments.
- Compatibility Issues: May encounter compatibility issues with legacy applications and infrastructure.
- Network Dependency: Increased dependency on internet connectivity for authentication and access control.
Thank You very much for the in details explanation. if there is any concerns I'll post it here. at the moment we are considering Pros and Cons for Implementing Windows Hello with Cloud Kerberos Trust where we have DCs only. May be in the initial stage we may avoid locations where we have RODCs.
Just a quick one, if we go fully Azure AD standalone few years down the line, Do we need to go through a migration process or does it work without any migration?- there is no migration of WH4B. What will happen is when a user gets a new computer that is Entra ID Joined (aka Azure AD Joined) then they will enroll into WH4B Key Trust and will re-register their PIN and/or Biometrics. Those users can co-exist alongside the other users who are still using WH4B Cloud Kerberos trust, you can have both methods active at the same time.
