From 5b0204d99888f2d566c1ce088ffc0f12eabf1131 Mon Sep 17 00:00:00 2001 From: jjstreic Date: Thu, 8 Sep 2022 12:46:11 -0500 Subject: [PATCH 1/2] Update hello-hybrid-cloud-trust.md Added note regarding high priv accounts and msDS-NeverRevealGroup --- .../hello-for-business/hello-hybrid-cloud-trust.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 8765cbc8c3..210503c8c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud - Using cloud trust for "Run as" - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +> [!NOTE] +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,). + ## Deployment Instructions Deploying Windows Hello for Business cloud trust consists of two steps: @@ -256,4 +261,4 @@ Windows Hello for Business cloud trust cannot be used as a supplied credential w ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust? -No, only the number necessary to handle the load from all cloud trust devices. \ No newline at end of file +No, only the number necessary to handle the load from all cloud trust devices. From 30c66c6c5b2e9511711c4327ca39c61ecca80c27 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 8 Sep 2022 16:14:10 -0400 Subject: [PATCH 2/2] added escape character to render <> --- .../hello-for-business/hello-hybrid-cloud-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 210503c8c7..95583c6427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -66,7 +66,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud > [!NOTE] > The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. > -> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,). +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\). ## Deployment Instructions