Overview of Windows Hello for Business Hybrid options

What are the options for Windows Hello for Business and what is the best choice.

by | Dec 13, 2018 | Identity, Security

What’s Windows Hello for Business

In Windows 10, Windows Hello for Business is able to replace passwords with a strong two-factor authentication. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello for business is able to authenticate to the Active Directory or Azure Active Directory.

Windows Hello addresses the following problems with passwords:

  • It is difficult for people to remember a strong password, which is often re-used and mixed for authentication to private or corporate apps.
  • Server breaches can expose symmetric network credentials (passwords).
  • Passwords are subject to replay attacks.
  • Users can inadvertently expose their passwords due to phishing attacks.

Windows Hello lets users authenticate to:

  • a Microsoft account.
  • an Active Directory account.
  • a Microsoft Azure Active Directory (Azure AD) account.
  • Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication (in progress)

After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user’s device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.

Windows Hello for Business Options

Windows Hello for Business has multiple deployment models for authentication to on-premises resources: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust.

The hybrid deployment model is for those organizations who are using the Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments who are using Azure Active Directory need to use the hybrid deployment model for any domain in that forest.

The trust model determines your requirements for authentication to the on-premises Active Directory:

  • The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
  • The certificate-trust model is for the enterprise that does want to issue end-entity certificates to their users and has the benefits of certificate expiration and renewal, similar to how smart cards work today.
  • The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.

Following are the various deployment guides:

Hybrid Key Trust Deployment

On-Premises Key Trust Deployment

Hybrid Certificate Trust Deployment

On-Premises Certificate Trust Deployment


Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Organizations that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.

One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008 R2 or later) and needing to enroll certificates for all their users (certificate trust).

Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrolment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.

My conclusion is that the Hybrid Key Trust is the way to go because it’s less complex, the management effort is lower and security is the same as for the Certificate Trust model.

In the next blog I will show the implementation of Windows Hello for Business Hybrid in a Key trust model. Stay tuned.

Share This