Exploring Device Management.
31 December 2023
In the ever-evolving landscape of cybersecurity, organizations are constantly seeking robust solutions to ensure their data and systems remain protected. One such innovative tool that has gained prominence is Windows Hello for Business Cloud Trust. This technology offers a new level of authentication and security, particularly in hybrid scenarios where cloud-based and on-premises resources are integrated. In this blog post, we’ll dive into the intricacies of Windows Hello for Business Cloud Trust, the concept of Cloud Trust, its significance in hybrid environments, and the key differences between Cloud Trust and Key Trust.
Windows Hello for Business is a modern authentication platform developed by Microsoft that leverages biometric factors like fingerprint recognition, facial recognition, and PINs to provide users with a seamless, password-free experience. This approach enhances security by reducing the risks associated with password-based authentication, such as phishing and brute-force attacks. By utilizing biometric information, Windows Hello for Business offers a more secure and convenient way for users to access their devices and applications.
As you might ask where Windows Hello saves biometric data you need to know that those information’s are stored locally and secured on the device. It never leaves the device and also does not roam.
If you want to read more about the security you can check out this Microsoft Learn page HERE.
In the realm of cybersecurity, trust is paramount. Cloud Trust refers to the confidence that an organization places in cloud-based services to securely manage sensitive information. Cloud Trust involves a combination of security measures, compliance protocols, and data protection mechanisms to ensure the integrity and confidentiality of data stored and processed in the cloud. Windows Hello for Business Cloud Trust builds on this concept by integrating the trust established within cloud services with the modern authentication capabilities of Windows Hello. It enables you to use security features and modern authentication within an hybrid environment.
Lets see how the authentication works:
-User sign-in on the client with Windows Hello for Business based on modern Authentication by Azure AD.
First of all you need to fulfil some requirements:
Check that you have your Clients in Azure AD, marked as „Hybrid Azure AD joined“:
Check that your Windows clients are at least 21H2:
When you meet the requirements you can start with creating an Azure AD Kerberos Server object in your onprem Active directory. So you need to open an administrative PowerShell on your domain controller.
Next we are going to install the PowerShell module:
# Install the module
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Now we create some variables. Please change „globaladmin@domain.onmicrosoft.com“ to an Global Administrator account from your Azure AD, this account will be used to create the Azure AD Kerberos Server connection, but it is not used for it to authenticate later. This will bring you an Authentication box where you need to enter the credentials of an domain admin user from your onprem AD:
```powershell
# Get your domain
$domain = $env:USERDNSDOMAIN
# Enter a domain administrator username and password.
$domainCred = Get-Credential
# UserPrincipalName of an Azure AD Global Administrator
$userPrincipalName = „globaladmin@domain.onmicrosoft.com"
Lastly we need to use a command from the module to create the Azure AD Kerberos Server object in our onprem AD. This will promt you with an Azure AD authentication popup where you need to authenticate with an Global Administrator from your Azure AD:
# Create the new Azure AD Kerberos Server object in Active Directory
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred
After you have authenticated here the object should be created in your onprem AD. To check you can either type
Get-AzureADKerberosServer -Domain $domain –UserPrincipalName $userPrincipalName
in your active PowerShell session an it will show you that there is an object created:
or you could also open the „Active Directory Users and Computers“ console and check under „Domain Controllers“ that the AzureADKerberos object is created:
To finish the setup you should initiate an Azure AD Connect V2 sync cycle. You can do this from the server that hosts your Azure AD Connect from PowerShell with the following command:
Start-ADSyncSyncCycle -PolicyType Delta
Wait a few minutes, depending on the size of your onprem AD this can take a few minutes.
You also need to configure an GPO to enable Windows Hello for Business an your Windows clients. To do so you need to open the „Group Policy Management“ console within your onprem AD. Please create a new policy and set the Security Filtering on „Domain Computers“ and assign the policy to the organizational unit where your clients are located:
Next you need to configure Windows Hello for Business under „Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business“. Enable the following settings:
Close the policy editor to save changes.
Once the policy has been applied to your Windows clients, the next time a user is signing in to Windows the user will be prompted to configure Windows Hello.
Depending on your client hardware the user can setup:
Once configured the use can use the Windows Hello sign-in method at the next login. For example PIN:
Hybrid environments, where organizations operate a combination of on-premises infrastructure and cloud services, present unique security challenges. Windows Hello for Business Cloud Trust bridges the gap between these two domains by extending the security benefits of Windows Hello to both cloud-based and on-premises resources. This integration ensures consistent and secure authentication regardless of where the resources are located. As organizations increasingly adopt hybrid architectures, the need for a unified and strong authentication mechanism becomes critical to prevent potential security vulnerabilities.
One of the most critical aspects of modern enterprise architecture is the seamless integration between on-premises Active Directory (AD) and Azure Active Directory (AAD) in hybrid environments. This integration is essential for achieving Single Sign-On (SSO) capabilities and maintaining a smooth user experience across both on-premises and cloud resources. Windows Hello for Business (Cloud Trust) plays a pivotal role in enhancing this integration, facilitating SSO and leveraging the power of Kerberos authentication for a secure and unified authentication experience.
Single Sign-On (SSO) is a user authentication process that enables users to access multiple applications and services with a single set of credentials. This streamlined experience enhances user productivity and minimizes the need for repeatedly entering usernames and passwords. Windows Hello for Business (Cloud Trust) enhances SSO capabilities by providing users with biometric-based authentication, enabling them to seamlessly access both on-premises and cloud-based resources without the need for traditional passwords.
When integrated with AAD, Windows Hello for Business (Cloud Trust) extends SSO across various devices and platforms. Users can log in to their devices using biometric authentication, and this authentication is then used to access AAD-protected resources in a secure and efficient manner. The cloud-based authentication process, based on biometric factors or PINs, further solidifies user identity, contributing to a higher level of trust in the authentication process.
Kerberos is a widely used network authentication protocol that provides strong authentication for client-server applications by using symmetric key cryptography. In a hybrid environment where both on-premises AD and cloud-based AAD coexist, maintaining consistent authentication mechanisms is vital. Windows Hello for Business (Cloud Trust) enhances this integration by acting as a bridge between traditional Kerberos-based authentication and modern biometric-based authentication.
When a user logs in to a device using Windows Hello for Business (Cloud Trust), the underlying authentication process involves both the device and the cloud. This process generates a token that can be used to access various resources, including those protected by Kerberos authentication. This token is trusted by both on-premises AD and cloud-based AAD, enabling the user to access resources across both environments without the need for multiple logins or complex authentication steps.
Cloud Trust and Key Trust are two authentication models within Windows Hello for Business, each with its own approach to securing user authentication.
In case that a devices does not enroll to Hybrid Azure AD joined you can try the command „dsregcmd /status“ to check it locally:
If your device is not showing „YES“ at „AzureAdJoined“ you might want to execute the command „dsregcmd /debug“ to get further details:
In case that you want to check the Event log for Windows Hello for Business issues you can find that at „Applications and Services Logs -> Microsoft -> Windows -> HelloForBusiness -> Operational“:
If a user forgets his PIN or the Biometrics does not work her can use the Self-Service from the Lock screen page of the device to click on „I forgot my PIN“ to initiate a reset by himself:
Once clicked there will popup an Azure AD authentication window where the User needs to sign in with his Azure AD credentials:
The user then can reset his PIN or biometrics by himself.
There are a few scenarios which are by design not supported and will not work:
Windows Server Active Directory Domain Services (AD DS)-joined (on-premises only devices) deployment.
Remote Desktop Protocol (RDP), virtual desktop infrastructure (VDI), and Citrix scenarios by using a security key.
S/MIME by using a security key.
Run as by using a security key.
Log in to a server by using a security key.
Windows Hello for Business Cloud Trust is a significant step forward in enhancing authentication security in hybrid environments. By integrating Cloud Trust, organizations can leverage the strengths of cloud services while maintaining a high level of trust and security. As the cyber threat landscape continues to evolve, adopting modern authentication mechanisms like Windows Hello for Business becomes imperative for organizations seeking to safeguard their data and systems effectively. Whether opting for Cloud Trust or Key Trust, the ultimate goal is to provide users with a seamless, secure, and password-free authentication experience that aligns with the organization’s security preferences. Cloud trust plays a pivotal role when the goal is a smooth integration between onprem and Cloud as it enables Single-Sign-ON capabilities and modern authentication with biometrics while keeping authentication data secure in hybrid environments.
If you want to distribute certificates you also need an working PKI infrastructure and an Intune NDES Connector.