| title | description | ms.date | ms.topic |
|---|---|---|---|
Windows Hello for Business hybrid key trust deployment guide |
Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. |
03/12/2024 |
tutorial |
[!INCLUDE apply-to-hybrid-key-trust]
Important
Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. For more information, see cloud Kerberos trust deployment.
[!INCLUDE requirements]
[!div class="checklist"]
[!div class="checklist"] Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the key trust model. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Key trust deployments don't need client-issued certificates for on-premises authentication. Microsoft Entra Connect Sync configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (msDS-KeyCredentialLink attribute).
A Windows Server-based PKI or a non-Microsoft Enterprise certification authority can be used. For more information, see Requirements for domain controller certificates from a non-Microsoft CA.
[!INCLUDE lab-based-pki-deploy]
[!INCLUDE dc-certificate-template]
[!INCLUDE dc-certificate-template-dc-hybrid-notes]
[!INCLUDE dc-certificate-template-supersede]
[!INCLUDE unpublish-superseded-templates]
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
Sign in to the CA or management workstations with Enterprise Admin equivalent credentials.
- Open the Certification Authority management console
- Expand the parent node from the navigation pane
- Select Certificate Templates in the navigation pane
- Right-click the Certificate Templates node. Select New > Certificate Template to issue
- In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos) template you created in the previous steps > select OK
- Close the console
Important
If you plan to deploy Microsoft Entra joined devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to update your CA to include an http-based CRL distribution point.
[!INCLUDE dc-certificate-deployment]
[!INCLUDE dc-certificate-validate]
[!div class="checklist"] Before moving to the next section, ensure the following steps are complete:
- Configure domain controller certificate template
- Supersede existing domain controller certificates
- Unpublish superseded certificate templates
- Publish the certificate template to the CA
- Deploy certificates to the domain controllers
- Validate the domain controllers configuration
[!div class="nextstepaction"] Next: configure and enroll in Windows Hello for Business >