A leading direct insurance provider across Australia and New Zealand, with recent expansion into Canada, specialises in technology and data analytics to design, administer, and distribute affordable insurance products. The organisation operates a hybrid-joined fleet of approximately 1,576 corporate Windows endpoints managed via Microsoft Intune.
The organisation’s reliance on password-based endpoint authentication exposed the business to phishing and credential theft risk, with a corresponding helpdesk burden from password resets and account lockouts. The environment lacked phishing-resistant biometric or PIN authentication backed by hardware-bound TPM keys, and endpoint authentication did not yet align with the Zero Trust direction set by the business.
A legacy Windows Hello Group Policy Object also remained linked in Active Directory, creating a policy conflict risk for any future Intune-based passwordless rollout. The organisation needed to align with its broader modern workplace and Zero Trust direction, without taking on the cost and operational overhead of standing up internal PKI for certificate or key trust models.
Oreta assessed readiness across identity, Active Directory, Kerberos, and endpoint posture, then designed Windows Hello for Business using the Cloud Kerberos Trust model. Cloud Kerberos Trust was selected because it required no PKI and offered the lowest operational overhead, while being supported by existing Windows Server 2022 domain controllers and a healthy hybrid identity environment.
A production Intune Settings Catalog profile was designed with TPM required, biometrics enabled, a six-digit minimum PIN, and enhanced anti-spoofing for facial recognition. The rollout was delivered in three waves: Prerequisites, Pilot, and Production, with rollback points and clear success criteria defined at each phase. The legacy Windows Hello GPO was decommissioned, and a user communications plan was delivered, including screencasts, quick reference guides, and Tier 1 service desk enablement.
• 1,576 hybrid-joined Windows endpoints assessed and prepared for passwordless rollout.
• Cloud Kerberos Trust selected, eliminating the need for PKI and reducing operational overhead.
• Phishing-resistant authentication implemented using TPM-bound credentials, AES-256 Kerberos, and enhanced anti-spoofing controls.
• Legacy Windows Hello GPO retired, with configuration centralised in Intune Settings Catalog.
