Hybrid certificate trust deployment

This document describes Windows Hello for Business functionalities or scenarios that apply to:


Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.

This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.

Important

Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see cloud Kerberos trust deployment.

It's recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.

Prerequisites

The following prerequisites must be met for a hybrid certificate trust deployment:

  • Directories and directory synchronization
  • Federated authentication to Microsoft Entra ID
  • Device registration
  • Public Key Infrastructure
  • Multifactor authentication
  • Device management

Directories and directory synchronization

Hybrid Windows Hello for Business needs two directories:

  • An on-premises Active Directory
  • A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription

The two directories must be synchronized with Microsoft Entra Connect Sync, which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID. The hybrid-certificate trust deployment needs an Microsoft Entra ID P1 or P2 subscription because it uses the device write-back synchronization feature.

Note

Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.

Important

Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.

Federated authentication to Microsoft Entra ID

Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID Pass-through Authentication (PTA) or password hash sync (PHS).
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.

If you're new to AD FS and federation services:

Once you have your AD FS design ready:

The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of KB4088889 (14393.2155).

Device registration and device write-back

Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either Microsoft Entra join or Microsoft Entra hybrid join.
For Microsoft Entra hybrid joined devices, review the guidance on the plan your Microsoft Entra hybrid join implementation page.

Refer to the Configure Microsoft Entra hybrid join for federated domains guide to learn more about using Microsoft Entra Connect Sync to configure Microsoft Entra device registration.
For a manual configuration of your AD FS farm to support device registration, review the Configure AD FS for Microsoft Entra device registration guide.

Hybrid certificate trust deployments require the device write-back feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.

Note

Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object.

If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using Custom Settings, you must ensure that you have configured device write-back and device authentication in your AD FS farm. For more information, see Configure Device Write Back and Device Authentication.

Public Key Infrastructure

An enterprise public key infrastructure (PKI) is required as trust anchor for authentication. Domain controllers require a certificate for Windows clients to trust them.
The enterprise PKI and a certificate registration authority (CRA) are required to issue authentication certificates to users. Hybrid certificate trust deployment uses AD FS as a CRA.

During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.

Multifactor authentication

The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.
Hybrid deployments can use:

For more information how to configure Microsoft Entra multifactor authentication, see Configure Microsoft Entra multifactor authentication settings.
For more information how to configure AD FS to provide multifactor authentication, see Configure Azure MFA as authentication provider with AD FS.

Device management

To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.

Next steps

Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:

  • Configure and validate the PKI
  • Configure AD FS
  • Configure Windows Hello for Business settings
  • Provision Windows Hello for Business on Windows clients
  • Configure single sign-on (SSO) for Microsoft Entra joined devices