question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked AnshulKumarMINDTREELIMITED-5501 commented

Device Writeback

Hello,

I have one quick and binary question. Appreciate your help.
Is "device writeback" mandatory for JUST "Windows-Hello Cert-Trust-Model" ?


I am NOT interested in obtaining enterprise-PRT through ADFS.

It is simple use-case of Hybrid Azure AD join authentication using a Certificate

Thanks



azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @testuser7-8288,

Thanks for your post!

Yes, it is mandatory. Hybrid certificate trust deployments need the device writeback feature, and this is mentioned in the prerequisites for the setup guide.

If users are synchronized and devices are not, there can be Windows Hello for Business certificate enrollment failures. Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object.

Sources:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust



If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered

Thanks @MarileeTurscak-MSFT

I had read that page also along with other pages in the doc. and that is why I am thinking it is conflicting with other pages.


If you look https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment


OR
https://interopevents.blob.core.windows.net/


there is NO mention of device authentication just for CERTIFICATE creation.


Of course if your are interested in ePRT, you definitely need the device-public-key in on-premAD



Besides, if at all device-public-key is needed for User-CERTIFICATE creation, then device-synchronization must happen before WHfB provisioning starts.

This will break the whole cert-trust model which can be accomplished synchronously as device will get the

user-key-receipt to proceed cert-creation and need NOT wait for the user writeback.


There is no such mention of device-key-receipt etc.

Have you practically did this setup and got failure without device writeback ? OR your input is based on documentation.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.