Share via

Cloud Kerberos Trust policy on hybrid device

testuser7 276 Reputation points
2025-02-13T21:44:31.08+00:00

@Sanoop M

As we discussed on Q& A  forum.  let’s work on following validation.

 

  • As you already have the AD, hybrid-user, Entra-connect to sync users to Entra, this time get one HYBRID-DEVICE and enrolled into Intune.
  • Push the "Cloud Kerberos Trust policy" on this device as we definitely need it in this scenario.
  • First time obviously you will log in with your on-prem username and password. Since it is hybrid device, device will complete authentication with AD
  • Now enroll this user into Windows-hello-for business and for sanity check, sign-in with WHfB with its PIN to test out everything is nicely operational.
  • Now , again login with password and then from Ctr+Alt+Del, change your password. For sanity check, sign-in with new password to make sure that it is properly synched in AD
  • Finally sign out and try to get into the device with WHfB Let me know your findings. Remember you have NOT reset the PIN. You have only change the password.

 

It DOES NOT matter how you manage to get Active-Directory in line-of-sight. You can use VPN on your Hybrid-device or you can just open the AD-ports for time being.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,327 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sanoop M 765 Reputation points Microsoft Vendor
    2025-02-17T20:22:04.4733333+00:00

    Hello @testuser7,

    Thank you for posting your query on Microsoft Q&A.

    When you're using Windows Hello for Business (WHFB) with Cloud Kerberos Trust, it works by storing your authentication keys in the cloud (Microsoft Entra ID) and linking them with your device. Below are the step by step process which I have tested as per your suggestion and I am providing you the overall summary below for your clear understanding.

    1. Sign-in with WHFB PIN: Initially, I tried to login to my device with my On-premises AD account(On-Prem username and password) which is synced to Microsoft Entra ID and after enrolling my user account to WHFB and then I authenticated via the WHFB PIN, which is stored locally on the device and backed by Microsoft Entra ID.
    2. Sign-in with Password and Change Password: I again logged in to the device using my password and then I changed the password. Then I tried to login to the device with my new password and I was successfully able to login to the device using my new updated password. Please note that when you log in to the device using your password and then change it, Microsoft Entra ID updates your password. The local password store (or Kerberos authentication) gets updated, but your WHFB PIN should still be valid because it's not tied directly to the password.
    3. Sign-out and Attempt to Sign-in with WHFB PIN: I signed out of the device and then I tried to sign in to the device using WHFB pin and I was successfully able to sign in to the device using WHFB pin. Please note that if you sign out and then try to sign in with the WHFB PIN after changing your password, you should still be able to sign in with your WHFB PIN. This is because the PIN is tied to your user account and device registration in Microsoft Entra ID, not the password directly. The PIN essentially acts as a local authentication method tied to your user profile, and the password change should not affect its functionality.

    However, there are few important points that we need to consider:

    • Synchronization Delay: There may be a brief delay in syncing changes (like a password change) between Microsoft Entra ID and your local device, especially if you're using a device not always connected to the network.
    • PIN Re-authentication After Password Reset: If you perform a password reset (via Microsoft Entra ID) or have any issues with syncing the password, Windows may prompt you to re-enroll or authenticate again with your WFHB PIN to refresh the session.

    In most cases, after you change your password, your WHFB PIN should still work to log in, since it's separate from your password and tied to your device registration. But if there’s a sync issue or a problem with the device’s connection to Microsoft Entra ID, there might be an issue temporarily.

    As an overall summary and answering to your question, yes, you should be able to sign in to the device using the WHFB PIN even after changing your password. This is because the WHFB PIN is tied to the user and device, and it leverages the Cloud Kerberos Trust policy for authentication.

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.