Policy

Use cloud trust for on-premises authentication

Microsoft Windows

Back to Windows Hello for BusinessBack to main
Use cloud trust for on-premises authentication
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > Windows Hello for Business
Supported on
At least Windows 10

Supported OS tags: Windows10, Windows10RT

Use this policy setting to configure Windows Hello for Business to use Azure AD Kerberos for on-premises authentication. If you enable this policy setting, Windows Hello for Business will use a Kerberos ticket retrieved from authenticating to Azure for on-premises authentication. If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate (depending on other policy settings) for on-premises authentication. NOTE: An environment that enables both this policy setting, and the "Use Windows Hello for Business" policy setting requires one or more Windows Server 2016 domain controllers. Otherwise, Windows Hello for Business authentication will fail.

Internal name
WHFB_UseCloudTrustForOnPremAuth
Policy ID
72ea326927c3
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SOFTWARE\Policies\Microsoft\PassportForWork
Value name
UseCloudTrustForOnPremAuth
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SOFTWARE\Policies\Microsoft\PassportForWork
Value name
UseCloudTrustForOnPremAuth
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.