How to Configure Windows Hello for Business Cloud Kerberos Trust in Intune

First, you need to install the Microsoft PowerShell module that creates the Kerberos server object in your on-premises Active Directory. Run this on a domain-joined machine where you have Domain Admin privileges.

# Install the required PowerShell module
Install-Module -Name AzureADHybridAuthenticationManagement -Force

# Import the module
Import-Module AzureADHybridAuthenticationManagement

Now create the Kerberos server object that enables your on-premises Active Directory to trust cloud-issued Kerberos tickets. This is the bridge between your cloud identity and on-premises resources.

# Connect to Azure AD with Global Admin credentials
Connect-AzureAD

# Create the Kerberos server object for your domain
New-AzureADKerberosServer -Domain "yourdomain.com"

# Verify the object was created
Get-AzureADKerberosServer -Domain "yourdomain.com"

Replace yourdomain.com with your actual Active Directory domain name. The command creates a computer object named AzureADKerberos in your domain's Computers container.

Configure the foundational Windows Hello for Business settings using Intune's Account Protection policy. This replaces the legacy tenant-wide settings and provides better control over deployment.

Navigate to the Microsoft Intune Admin Center at https://intune.microsoft.com and follow these steps:

1. Go to Endpoint Security → Account Protection
2. Click Create Policy
3. Select Platform: Windows 10 and later
4. Select Profile: Account protection
5. Click Create

Configure these critical settings:

Use Windows Hello For Business (User): Enabled
Require Security Device (User): Enabled
Minimum PIN Length: 6 (or your organization's requirement)
Maximum PIN Length: 127
Lowercase Letters in PIN: Allow
Uppercase Letters in PIN: Allow
Special Characters in PIN: Allow
PIN Expiration (Days): Not Configured

Assign the policy to a security group containing your target users, then click Create.

The Settings Catalog approach is the modern way to configure Windows Hello for Business cloud Kerberos trust. This replaces legacy OMA-URI configurations and provides better reliability.

In the Microsoft Intune Admin Center:

1. Navigate to Devices → Windows → Configuration profiles
2. Click Create profile
3. Select Platform: Windows 10 and later
4. Select Profile type: Settings Catalog
5. Click Create

Name your policy something descriptive like "Windows Hello Cloud Kerberos Trust" and click Next.

Add the specific settings that enable cloud Kerberos trust for on-premises authentication. These settings tell Windows devices to request Kerberos tickets from the cloud instead of directly from domain controllers.

In the Settings Catalog policy:

1. Click Add settings
2. In the settings picker, search for Windows Hello for Business
3. Expand the Windows Hello for Business category

Add and configure these essential settings:

Use Cloud Trust For On Prem Auth: Enabled
Cloud Kerberos Ticket Retrieval Enabled: Enabled
Use Certificate For On Prem Auth: Disabled

The Use Certificate For On Prem Auth setting should be disabled if you were previously using certificate-based authentication, as it can conflict with cloud Kerberos trust.

Click Next to proceed to assignments.

Proper assignment ensures your policies reach the right devices and users. Create a security group strategy that allows for phased deployment and easy troubleshooting.

For the Settings Catalog policy:

1. Click Next on the Assignments tab
2. Under Included groups, click Add groups
3. Select your target device security group (e.g., "Windows Hello Pilot Devices")
4. Click Select

Review your configuration and click Create.

For both policies, verify the assignments:

Account Protection Policy: Assigned to USER groups
Settings Catalog Policy: Assigned to DEVICE groups

This assignment strategy ensures Windows Hello settings apply to users while cloud Kerberos trust applies to devices.

Speed up policy deployment by manually triggering a sync on your test devices. This avoids waiting for the standard 8-hour sync cycle.

On each target Windows device, open an elevated Command Prompt and run:

rem Force Intune policy sync
C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM

rem Alternative method using PowerShell
powershell -Command "Get-ScheduledTask | Where-Object {$_.TaskName -eq 'PushLaunch'} | Start-ScheduledTask"

Or use the Company Portal app:

1. Open Company Portal app
2. Go to Settings
3. Click Sync
4. Wait for "Last sync" timestamp to update

For hybrid-joined devices, also run:

gpupdate /force

Verify that Windows Hello for Business is working correctly before testing cloud Kerberos trust. Users need to enroll in Windows Hello first.

Have a test user sign in to a target device and set up Windows Hello:

1. Go to Settings → Accounts → Sign-in options
2. Under Windows Hello PIN, click Set up
3. Follow the enrollment wizard to create a PIN
4. Optionally set up fingerprint or face recognition if hardware supports it

The enrollment process should complete without errors and prompt for MFA verification.

Verification commands to run on the device:

rem Check Windows Hello status
dsregcmd /status | findstr "WamDefaultSet\|AzureAdPrt"

rem Verify Hello for Business enrollment
certlm.msc

In Certificate Manager, look for certificates in Personal → Certificates with "Windows Hello for Business" in the subject name.

Now test the core functionality: accessing on-premises resources using cloud-issued Kerberos tickets. This is where the magic happens.

Have your test user sign in with Windows Hello and attempt to access on-premises resources:

rem Test file share access
net use Z: \\server\share

rem Check current Kerberos tickets
klist

rem Test specific service access
klist get krbtgt

The klist command should show Kerberos tickets that were obtained from the cloud rather than directly from your domain controllers.

Test these scenarios:

• Access file shares on domain-joined servers
• Launch domain-joined applications
• Access internal web applications using Integrated Windows Authentication

Additional verification using PowerShell:

# Check authentication method
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-HelloForBusiness/Operational'; ID=300} -MaxEvents 5

Establish monitoring to track deployment success and quickly identify issues. Windows Hello for Business generates detailed logs that help with troubleshooting.

Key monitoring locations in Intune:

1. Endpoint Security → Account Protection → Select your policy → Device status
2. Devices → Configuration profiles → Select Settings Catalog policy → Device status
3. Devices → Monitor → Device compliance

On client devices, monitor these Event Viewer logs:

Applications and Services Logs → Microsoft → Windows → HelloForBusiness → Operational
Applications and Services Logs → Microsoft → Windows → AAD → Operational
Applications and Services Logs → Microsoft → Windows → User Device Registration → Admin

Common troubleshooting commands:

rem Check device registration status
dsregcmd /status

rem Verify TPM status
tpm.msc

rem Check Windows Hello certificate
certlm.msc

Create a troubleshooting checklist:

• Verify TPM 2.0 is enabled and functional
• Confirm device is Azure AD joined or hybrid joined
• Check that both policies applied successfully
• Verify MFA is configured for the user
• Ensure AD Connect is synchronizing properly