From d5c489b33139c3ba32240bd7325d69d567f8ee20 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 3 Oct 2022 12:52:10 -0400
Subject: [PATCH] migration details added

---
 .../hello-hybrid-cloud-kerberos-trust.md       | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index 7e64879acd..a527856529 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -231,6 +231,24 @@ After a successful MFA, the provisioning flow asks the user to create and valida
 
 Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
 
+## Migrate to cloud Kerberos trust
+
+If you deployed WHFB using the **key trust** deployment model and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps:
+
+1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
+1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails
+
+There is no migration path from certificate trust deployment to cloud Kerberos trust deployment. You will need to clean up existing deployments and redeploy by following these steps:
+
+1. Disable the certificate trust policy
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
+1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
+1. Reboot or sign out and sign back in
+1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint)
+    > [!NOTE]
+    > For hybrid Azure AD joined devices, sign in with new credential with line of sight to a DC
+
 ## Troubleshooting
 
 If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps: