Understand authentication methods—key trust, certificate trust, and TPM
This unit explains the authentication choices you make for Windows Hello for Business and device-based authentication: key trust, certificate trust, and the role of the TPM. You learn how each option works, its deployment implications, and when to choose one approach over another.
Key trust, certificate trust, and cloud Kerberos trust are models for Windows Hello for Business (WHfB) that replace passwords with strong device-bound credentials. These trust types apply to hybrid deployments where devices need to authenticate to on-premises Active Directory; cloud-only deployments don't require a trust type.
Cloud Kerberos trust (recommended)
Cloud Kerberos trust is the recommended deployment model for hybrid environments. The device authenticates to on-premises Active Directory by requesting a Ticket Granting Ticket (TGT) from Microsoft Entra ID using Microsoft Entra Kerberos, without requiring end-user certificates.
- Pros: No PKI required. It's the only hybrid option with no PKI dependency. Shares infrastructure with FIDO2 security key sign-in. Recommended for new hybrid deployments and migrations away from key trust.
- Cons: Requires Microsoft Entra Kerberos to be configured in your on-premises AD.
Tip
Microsoft recommends Cloud Kerberos trust for most new hybrid Windows Hello for Business deployments. Only choose key or certificate trust when you have a specific requirement that Cloud Kerberos trust cannot meet.
Key trust
The device presents a cryptographic key that Microsoft Entra ID trusts. Users authenticate with a key stored in the device's TPM. Microsoft Entra ID validates the authentication, but on-premises authentication requires domain controller certificates from your PKI.
- Pros: A reasonable choice when you already have PKI in place for DC certificates but don't need to issue user certificates.
- Cons: Requires PKI for domain controller certificates. More infrastructure overhead than Cloud Kerberos trust.
Certificate trust
The device uses a user or device certificate issued by your on-premises PKI. The certificate is proof of identity during authentication and is validated against your certificate authority chain.
- Pros: Works for hybrid environments that need certificate-based authentication to on-premises resources and already maintain full PKI.
- Cons: Requires PKI for both domain controller certificates and end-user certificates. Highest operational overhead of the three options.
PKI requirements by trust type
| Deployment | Trust type | PKI required? |
|---|---|---|
| Hybrid | Cloud Kerberos | No |
| Hybrid | Key | Yes (DC certificates only) |
| Hybrid | Certificate | Yes (DC certificates + user certificates) |
How the TPM fits in
The Trusted Platform Module (TPM) stores private keys and helps protect them from extraction. TPM-backed keys provide stronger assurance because the private key never leaves the hardware.
- TPM 2.0: Required for modern Windows devices. Supports hardware-backed key protection and attestation.
- Without TPM: Keys might be stored in software-based keystores. This approach is less secure and can affect compliance and Conditional Access signals.
Important
For production deployments, prefer TPM-backed keys to reduce the risk of credential theft and to provide stronger device signals to conditional access.
Deployment considerations
- Cloud-only tenants: No trust type is required; Windows Hello for Business functions without on-premises AD dependency.
- Hybrid tenants — new deployments: Start with Cloud Kerberos trust. It avoids PKI complexity while providing full on-premises authentication.
- Hybrid tenants — existing PKI: Key trust is an option if you already issue DC certificates. Certificate trust suits environments that also issue user certificates for other purposes.
- TPM availability: Confirm device fleet TPM capability and configure Windows Hello for Business settings to require TPM when possible. Windows 11 requires TPM 2.0.
- User experience: All three models let users sign in with PIN or biometrics; certificate trust may add extra enrollment steps due to user certificate issuance.
For most new hybrid deployments, start with Cloud Kerberos trust. Choose key trust when you already have PKI but don’t need user certificates, and certificate trust only when PKI-based user certificates are a firm requirement. Require TPM where possible to increase credential protection and strengthen Conditional Access signals.