Hybrid certificate trust deployment

This document describes Windows Hello for Business functionalities or scenarios that apply to:

Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.

This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.


Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see cloud Kerberos trust deployment.

It's recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.


The following prerequisites must be met for a hybrid certificate trust deployment:

  • Directories and directory synchronization
  • Federated authentication to Azure AD
  • Device registration
  • Public Key Infrastructure
  • Multi-factor authentication
  • Device management

Directories and directory synchronization

Hybrid Windows Hello for Business needs two directories:

  • An on-premises Active Directory
  • An Azure Active Directory tenant with an Azure AD Premium subscription

The two directories must be synchronized with Azure AD Connect Sync, which synchronizes user accounts from the on-premises Active Directory to Azure AD. The hybrid-certificate trust deployment needs an Azure Active Directory Premium subscription because it uses the device write-back synchronization feature.


Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.


Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Azure Active Directory and Active Directory.

Federated authentication to Azure AD

Windows Hello for Business hybrid certificate trust doesn't support Azure AD Pass-through Authentication (PTA) or password hash sync (PHS).
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Azure Active Directory using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.

If you're new to AD FS and federation services:

Once you have your AD FS design ready:

The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of KB4088889 (14393.2155).

Device registration and device write-back

Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either Azure AD join or hybrid Azure AD join.
For hybrid Azure AD joined devices, review the guidance on the plan your hybrid Azure Active Directory join implementation page.

Refer to the Configure hybrid Azure Active Directory join for federated domains guide to learn more about using Azure AD Connect Sync to configure Azure AD device registration.
For a manual configuration of your AD FS farm to support device registration, review the Configure AD FS for Azure AD device registration guide.

Hybrid certificate trust deployments require the device write-back feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.


Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object.

If you manually configured AD FS, or if you ran Azure AD Connect Sync using Custom Settings, you must ensure that you have configured device write-back and device authentication in your AD FS farm. For more information, see Configure Device Write Back and Device Authentication.

Public Key Infrastructure

An enterprise public key infrastructure (PKI) is required as trust anchor for authentication. Domain controllers require a certificate for Windows clients to trust them.
The enterprise PKI and a certificate registration authority (CRA) are required to issue authentication certificates to users. Hybrid certificate trust deployment uses AD FS as a CRA.

During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.

Multi-factor authentication

The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.
Hybrid deployments can use:

  • Azure AD Multi-Factor Authentication
  • A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS

For more information how to configure Azure AD Multi-Factor Authentication, see Configure Azure AD Multi-Factor Authentication settings.
For more information how to configure AD FS to provide multi-factor authentication, see Configure Azure MFA as authentication provider with AD FS.

Device management

To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.

Next steps

Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:

  • Configure and validate the PKI
  • Configure AD FS
  • Configure Windows Hello for Business settings
  • Provision Windows Hello for Business on Windows clients
  • Configure single sign-on (SSO) for Azure AD joined devices