Windows Hello for Business Deployment Prerequisite Overview
This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
Azure AD Cloud Only Deployment
- Azure Active Directory
- Azure AD Multifactor Authentication
- Device management solution (Intune or supported third-party MDM), optional
- Azure AD Premium subscription - optional, needed for automatic MDM enrollment when the device joins Azure Active Directory
Hybrid Deployments
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Requirement | Cloud Kerberos trust Group Policy or Modern managed |
Key trust Group Policy or Modern managed |
Certificate Trust Mixed managed |
Certificate Trust Modern managed |
|---|---|---|---|---|
| Windows Version | Any supported Windows client versions | Any supported Windows client versions | Any supported Windows client versions | |
| Schema Version | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema |
| Domain and Forest Functional Level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Domain Controller Version | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
| Certificate Authority | Not required | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
| AD FS Version | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions |
| MFA Requirement | Azure MFA, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
| Azure AD Connect | Not required | Required | Required | Required |
| Azure AD License | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
On-premises Deployments
The table shows the minimum requirements for each deployment.
| Key trust Group Policy managed |
Certificate trust Group Policy managed |
|---|---|
| Any supported Windows client versions | Any supported Windows client versions |
| Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Any supported Windows Server versions | Any supported Windows Server versions |
| Any supported Windows Server versions | Any supported Windows Server versions |
| Any supported Windows Server versions | Any supported Windows Server versions |
| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
Feedback
Submit and view feedback for