Is Always On VPN or Pre-login VPN required for Cloud Key trust?

We have a customer that is %100 Azure AD joined with all machines running Windows 11.

They still have a need for on-prem despite heavily using SharePoint Online, OneDrive for Business and Teams.

We’re looking into Cloud Key Trust for Windows Hello for Business to enable passwordless auth with FIDO2 hardware keys.

I have tested cloud key trust here and it seems like for remote users (since they are %100 remote) is the solution.

They are using latest version of Entra ID Connect (Azure AD connect) running on Windows server 2022. They are all %100 Hybrid user IDs synced from a single forest to a single Entra ID tenant.

However sounds like the Kerberos tickets by looking at klist cli command when visiting a UNC path is not showing up despite being connected to VPN.

I’m wondering if pre connecting to VPN is required before logging into Windows for Kerberos tickets to work with CKT WH4B ?

No, just turn it on and update the clients and done.

Do their accounts exist in the local domain controller?

Using adsync?

For AAD devices Kerberos TGT wouldn’t show on the DC, check the clients for these TGT tickets.

Event view has details on the cloud trust/TGT etc, you only need a vpn if off site and trying to connect to onsite resources. As you would have done pre AAD only.

All are Hybrid user IDs synced with AAD connect running in Win server 2022

Right but is VPN needed when off-site pre login?

My users open the vpn whenever they want to access the smb shares. What issue are you having?