Hey everyone, I've got a situation here in my hybrid environment where we're using Windows Hello for Business (WHfB) with Cloud Trust and Remote Credential Guard. Everything's been set up and is working smoothly. Previously, we had been using Duo for two-factor authentication (2FA) to secure our domain admin accounts, and I intended to keep that setup while using WHfB. However, I found out that Remote Credential Guard isn't compatible with Duo. I'm curious to know how others are managing 2FA for domain admin accounts in similar setups or if anyone has found a workaround for this issue. Thanks for any insights!
1 Answer
Have you considered using privileged access workstations (PAWs)? If you're using those, you could Entra-join the machines and apply different authentication methods like smart cards or passkeys for your privileged accounts. Personally, I rarely need to enter my domain admin password anymore, but I do for PowerShell administrative tasks. If your domain admins are signing in on any machine, shifting to PAWs could improve security.
Good point! But to clarify, our admins can’t log into endpoints with their domain admin credentials; I'm mainly looking at 2FA when they're accessing servers.