Configure and enroll in Windows Hello for Business in hybrid certificate trust model
This article describes Windows Hello for Business functionalities or scenarios that apply to:
- Deployment type: hybrid
- Trust type: certificate trust
- Join type: Microsoft Entra join , Microsoft Entra hybrid join
Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps:
Configure Windows Hello for Business policy settings
There are two policy settings required to enable Windows Hello for Business in a certificate trust model:
Another optional, but recommended, policy setting is:
Use the following instructions to configure your devices using either Microsoft Intune or group policy (GPO).
You can configure the Use Windows Hello for Business policy setting in the computer or user node of a GPO:
- Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment
- Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment
If both user and computer policy settings are deployed, the user policy setting has precedence.
Tip
Use the same Windows Hello for Business Users security group to assign Certificate template permissions to ensure the same members can enroll in the Windows Hello for Business authentication certificate.
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:
Group policy path | Group policy setting | Value |
---|---|---|
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business or User Configuration\Administrative Templates\Windows Components\Windows Hello for Business |
Use Windows Hello for Business | Enabled |
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business or User Configuration\Administrative Templates\Windows Components\Windows Hello for Business |
Use certificate for on-premises authentication | Enabled |
Computer Configuration\Windows Settings\Security Settings\Public Key Policies or User Configuration\Windows Settings\Security Settings\Public Key Policies |
Certificate Services Client - Auto-Enrollment | - Select Enabled from the Configuration Model - Select the Renew expired certificates, update pending certificates, and remove revoked certificates - Select Update certificates that use certificate templates |
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business | Use a hardware security device | Enabled |
Note
The enablement of the Use a hardware security device policy setting is optional, but recommended.
Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.
Tip
The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see Policy conflicts from multiple policy sources
More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see Windows Hello for Business policy settings.
Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
You can determine the status of the prerequisite checks by viewing the User Device Registration admin log under Applications and Services Logs > Microsoft > Windows.
This information is also available using the dsregcmd.exe /status
command from a console. For more information, see dsregcmd.
User experience
After a user signs in, the Windows Hello for Business enrollment process begins:
- If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
- The user is prompted to use Windows Hello with the organization account. The user selects OK
- The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
- After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
- The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop
After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment.
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
Note
In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net
endpoint.
The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
Note
Windows Server 2016 update KB4088889 (14393.2155) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users don't need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
Sequence diagrams
To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
- Provisioning for Microsoft Entra joined devices with managed authentication
- Provisioning for Microsoft Entra joined devices with federated authentication
- Provisioning in a hybrid certificate trust deployment model with federated authentication
To better understand the authentication flows, review the following sequence diagram: