This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 25%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFB%3C/text%3E%3C/svg%3E)
Hello,
Today we have deloyed Windows Hello for Business to all our end user Windows 10 devices based on the "Certificate Trust" deployment. We have now prepared, configured and tested with success the "Cloud Kerberos trust" deployment.
We have understood that during the migration from the on-premise deployment to the hybrid deployment, we have to force users to re-enrolle them with Windows Hello for Business. Please correct me if I am wrong.
Now we are wondering, what would be the impact if we decomission the AD FS before having redeployed all our users to the hybrid scenario "Cloud Kerberos Trust"?
For users not migration to the hybrid deployement, will WHFB still work without AD FS? What will happen if the certificate delivered by the internal certificate authority get expired? Will the certificate still be renewed by the PKI, without going through the AD FS? Or will the user get stuck, with a none working PIN? Thanks.