Device Writeback

testuser7 271 Reputation points
2021-07-14T19:51:12.007+00:00

Hello,

I have one quick and binary question. Appreciate your help.
Is "device writeback" mandatory for JUST "Windows-Hello Cert-Trust-Model" ?

I am NOT interested in obtaining enterprise-PRT through ADFS.

It is simple use-case of Hybrid Azure AD join authentication using a Certificate

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
    2021-07-14T23:26:17.043+00:00

    Hi @testuser7 ,

    Thanks for your post!

    Yes, it is mandatory. Hybrid certificate trust deployments need the device writeback feature, and this is mentioned in the prerequisites for the setup guide.

    If users are synchronized and devices are not, there can be Windows Hello for Business certificate enrollment failures. Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object.

    Sources:

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust

    -

    If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    0 comments
  2. testuser7 271 Reputation points
    2021-07-15T12:23:21.223+00:00

    Thanks @Marilee Turscak-MSFT

    I had read that page also along with other pages in the doc. and that is why I am thinking it is conflicting with other pages.

    If you look https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment

    OR
    https://interopevents.blob.core.windows.net/

    there is NO mention of device authentication just for CERTIFICATE creation.

    Of course if your are interested in ePRT, you definitely need the device-public-key in on-premAD

    Besides, if at all device-public-key is needed for User-CERTIFICATE creation, then device-synchronization must happen before WHfB provisioning starts.

    This will break the whole cert-trust model which can be accomplished synchronously as device will get the

    user-key-receipt to proceed cert-creation and need NOT wait for the user writeback.

    There is no such mention of device-key-receipt etc.

    Have you practically did this setup and got failure without device writeback ? OR your input is based on documentation.

    0 comments