deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-10-03 13:52:05 -04:00
parent d5c489b331
commit 8fffa31475
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -231,23 +231,29 @@ After a successful MFA, the provisioning flow asks the user to create and valida
Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
## Migrate to cloud Kerberos trust ## Migrate from key trust deployment model to cloud Kerberos trust
If you deployed WHFB using the **key trust** deployment model and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps: If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps:
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails 1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails
There is no migration path from certificate trust deployment to cloud Kerberos trust deployment. You will need to clean up existing deployments and redeploy by following these steps: ## Migrate from certificate trust deployment model to cloud Kerberos trust
> [!IMPORTANT]
> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment.
If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps:
1. Disable the certificate trust policy 1. Disable the certificate trust policy
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context 1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
1. Reboot or sign out and sign back in 1. Reboot or sign out and sign back in
1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint) 1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint)
> [!NOTE] > [!NOTE]
> For hybrid Azure AD joined devices, sign in with new credential with line of sight to a DC > For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC
## Troubleshooting ## Troubleshooting