Hybrid certificate trust deployment guide

This article describes Windows Hello for Business functionalities or scenarios that apply to:


Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see cloud Kerberos trust deployment.


Before starting the deployment, review the requirements described in the Plan a Windows Hello for Business Deployment article.

Ensure that the following requirements are met before you begin:

Deployment steps

Federated authentication to Microsoft Entra ID

Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.

If you're new to AD FS and federation services:

Once you have your AD FS design ready, review deploying a federation server farm to configure AD FS in your environment

The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of KB4088889 (14393.2155).

Device registration and device write-back

Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either Microsoft Entra join or Microsoft Entra hybrid join.
For Microsoft Entra hybrid joined devices, review the guidance on the plan your Microsoft Entra hybrid join implementation page.

Refer to the Configure Microsoft Entra hybrid join for federated domains guide to learn more about using Microsoft Entra Connect Sync to configure Microsoft Entra device registration.
For a manual configuration of your AD FS farm to support device registration, review the Configure AD FS for Microsoft Entra device registration guide.

Hybrid certificate trust deployments require the device write-back feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.


Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object.

If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using Custom Settings, you must ensure to configure device write-back and device authentication in your AD FS farm. For more information, see Configure Device Write Back and Device Authentication.

Public Key Infrastructure

An enterprise public key infrastructure (PKI) is required as trust anchor for authentication. Domain controllers require a certificate for Windows clients to trust them.
The enterprise PKI and a certificate registration authority (CRA) are required to issue authentication certificates to users. Hybrid certificate trust deployment uses AD FS as a CRA.

During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.

Next steps

Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:

  • Configure and validate the PKI
  • Configure AD FS
  • Configure Windows Hello for Business settings
  • Provision Windows Hello for Business on Windows clients
  • Configure single sign-on (SSO) for Microsoft Entra joined devices