Windows Hello for Business Deployment with Intune

Cloud Kerberos Trust – Full Hands-On Lab Guide

Audience: Intune / Entra administrators
Skill level: Intermediate
Deployment model: Cloud Kerberos Trust (recommended)
Management platform: Microsoft Intune

---

Lab Overview

This lab walks you through deploying Windows Hello for Business (WHfB) using Intune Account Protection policies with Cloud Kerberos Trust. You will configure policies, assign them correctly, validate on endpoints, and troubleshoot common issues.

This lab reflects current best practices and avoids deprecated or unreliable deployment methods.

---

Lab Objectives

By the end of this lab, you will be able to:

• Deploy Windows Hello for Business using Intune Account Protection
• Configure Cloud Kerberos Trust correctly
• Avoid common policy conflicts
• Validate WHfB provisioning on Windows devices
• Understand when not to use Settings Catalog or Enrollment policies

---

Architecture Summary (Recommended)

Component	Role
Microsoft Entra ID	Identity provider
Microsoft Intune	Policy deployment
Windows 10/11	WHfB client
Cloud Kerberos Trust	On-prem authentication (hybrid scenarios)

---

Prerequisites Checklist

Before starting, confirm the following:

• Windows 10 22H2 or Windows 11 (recommended)
• Device enrolled in Intune
• User licensed for Intune
• Hybrid or cloud-only Entra ID supported
• Cloud Kerberos Trust already functional (if hybrid)
• Test device group created in Intune

---

Important Design Rules (Read First)

• One WHfB policy per device
• Do not mix certificate trust and cloud trust
• Device-based assignment is preferred
• Biometrics cannot be enforced, only allowed
• Avoid overlapping WHfB policies from multiple locations

---

Step 1: Validate Current WHfB State (Baseline)

On a test device:

1. Open Settings
2. Go to Accounts → Sign-in options
3. Confirm:
   • Windows Hello is not already provisioned
   • No PIN exists (ideal for clean testing)

Optional (advanced):

dsregcmd /status

Confirm:

• AzureAdJoined = YES (or HybridJoined)
• SSO State is healthy

---

Step 2: Create WHfB Policy (Account Protection)

Navigation Path

Intune Admin Center
→ Endpoint security
→ Account protection
→ Create policy

Platform

• Windows 10 and later

Profile

• Account protection

---

Step 3: Configure Windows Hello for Business Settings

Configure only the required settings.

Core Settings (Required)

Setting	Value
Use Windows Hello for Business	Enabled
Use cloud trust for on-prem authentication	Enabled

Critical Conflict Setting

Setting	Value
Use certificate for on-prem authentication	Disabled

⚠️ If certificate trust is enabled, Cloud Kerberos Trust will not work reliably.

---

Step 4: Biometrics Configuration (Reality Check)

• Biometrics are optional gestures
• PIN is still MFA (device + knowledge)
• Do not attempt to force biometrics

Leave biometric settings Not configured unless you are explicitly disabling them.

---

Step 5: Assign the Policy (Very Important)

Best Practice Assignment

• Assign to device groups
• Use a dedicated WHfB test group

Avoid

• Assigning to users
• Assigning multiple WHfB policies
• Overlapping test and production policies

---

Step 6: Sync and Provision WHfB

On the test device:

1. Go to Settings → Accounts → Access work or school
2. Select your tenant → Info → Sync
3. Sign out
4. Sign back in

Expected result:

• User is prompted to set up a PIN
• Biometrics offered if hardware exists

---

Step 7: Validation Checklist

On the endpoint:

• PIN sign-in works
• Password sign-in no longer required
• (Hybrid) On-prem resources authenticate successfully
• No certificate prompts appear

Optional logs:

Event Viewer → Applications and Services Logs
→ Microsoft → Windows → HelloForBusiness

---

Step 8: Common Failure Scenarios

1. WHfB Does Not Provision

Check:

• Policy assignment
• Conflicting WHfB policies
• Device group membership

---

2. Cloud Trust Works Intermittently

Check:

• Certificate trust disabled
• No legacy GPOs for WHfB
• Single policy applied

---

3. Biometrics Missing

Check:

• Hardware support
• Drivers
• User skipped biometric enrollment

This is not a policy failure.

---

When NOT to Use These Methods

❌ Settings Catalog (Primary)

• Can apply inconsistently
• Harder to troubleshoot
• Best used only for edge settings

❌ Enrollment WHfB Policy

Devices → Enrollment → Windows Hello for Business

• Applies only at enrollment
• Does not retrofit cleanly
• Limited troubleshooting visibility

---

Recommended Production Model

Task	Tool
Deploy WHfB	Account Protection
Control auth model	Cloud Kerberos Trust
Device targeting	Device groups
Troubleshooting	Event logs + Intune status

---

Lab Cleanup (Optional)

• Remove test device from WHfB group
• Delete test Account Protection policy
• Remove PIN from device if needed

---

Key Takeaways

• Account Protection is the preferred WHfB deployment method
• Cloud Kerberos Trust is simpler and more reliable than cert trust
• Most failures are policy conflicts, not bugs
• Biometrics are optional. PIN is sufficient and secure

---

Appendix: Quick Troubleshooting Matrix

Symptom	Likely Cause
No PIN prompt	Policy not applied
On-prem auth fails	Cert trust enabled
Inconsistent behavior	Multiple WHfB policies
No biometrics	Hardware limitation

---

Just tell me what to add.