Access On-prem Resources Using WHfB and Cloud Trust

Overview

In this article we're going to discuss how you can access your on-prem resources using Intune managed devices while utilising Windows Hello for Business (WHfB).

Supporting documentation from Microsoft:

Windows Hello for Business cloud Kerberos trust deployment guide - Windows Security | Microsoft Learn

Windows Hello for Business overview - Windows Security | Microsoft Learn

Scenario

You have a hybrid environment with on-prem resources such as network shared drives. You're moving your devices into cloud only managed devices via Intune and you want to enable WHfB.

Key trust and certificate trust use certificate authentication based Kerberos for requesting Kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Entra joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Entra ID Kerberos that doesn't require any of the above PKI to get the user a TGT.

With Microsoft Entra Kerberos, Entra ID can issue TGTs for one or more of your AD domains. Windows can request a TGT from Entra ID when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.

When you enable Microsoft Entra Kerberos in a domain, an Microsoft Entra Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Entra ID to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Microsoft Entra Kerberos Server object.

Introduction to Cloud Trust

The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of on-premises SSO with passwordless security keys to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.

Windows Hello for Business cloud trust uses Entra ID (AD) Kerberos to address pain points of the key trust deployment model:

• Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
• Cloud trust doesn't require syncing of public keys between Entra ID and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
• Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup.

Limitations

The following scenarios aren't supported using Windows Hello for Business cloud trust:

• On-premises only deployments
• RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
• Scenarios that require a certificate for authentication
• Using cloud trust for "Run as"
• Signing in with cloud trust on a Entra ID Hybrid joined device without previously signing in with DC connectivity

Prerequisites

Devicie can help you configure WHfB on your Intune tenant and will be able to advise on Cloud Trust setup should you require any assistance.

For more details, contact Devicie Support.