deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update hello-hybrid-cloud-trust.md

Browse Source 
Added note regarding high priv accounts and msDS-NeverRevealGroup
This commit is contained in:
jjstreic 2022-09-08 12:46:11 -05:00 committed by GitHub
parent db62467eab
commit 5b0204d998
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
View File

@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud
- Using cloud trust for "Run as"
- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
> [!NOTE]
> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys.
>
> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>).
## Deployment Instructions
Deploying Windows Hello for Business cloud trust consists of two steps:
@ -256,4 +261,4 @@ Windows Hello for Business cloud trust cannot be used as a supplied credential w
### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust?
No, only the number necessary to handle the load from all cloud trust devices.
No, only the number necessary to handle the load from all cloud trust devices.