I'm currently using Certificate Trust deployment for Windows Hello for Business (WHfB) with our on-premises PKI. I'm considering a switch to Cloud Kerberos Trust deployment, which is detailed in the documentation I linked. My main question is whether I can completely eliminate my internal PKI setup, especially since we still have some on-prem servers and Active Directory services. Any insights would be greatly appreciated!
1 Answer
You actually don’t need to maintain an internal PKI for Cloud Kerberos Trust or to operate your Active Directory. If the only reason for keeping the internal PKI is to support WHfB, you can definitely drop it. Of course, you might find it useful for other needs in the future, but you can always set it back up if necessary later on.
Thank you so much! That’s what I thought, just wanted to double-check.