on-premises-key-trust.md

title	description	ms.date	ms.topic
Windows Hello for Business on-premises key trust deployment guide	Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.	03/12/2024	tutorial

On-premises key trust deployment guide

[!INCLUDE apply-to-on-premises-key-trust]

[!INCLUDE requirements]

[!div class="checklist"]

• Public Key Infrastructure
• Authentication
• Device configuration
• Licensing for cloud services
• Windows requirements
• Windows Server requirements
• Prepare users to use Windows Hello

Deployment steps

Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:

[!div class="checklist"]

• Configure and validate the Public Key Infrastructure
• Prepare and deploy AD FS with MFA
• Configure and enroll in Windows Hello for Business

Configure and validate the Public Key Infrastructure

Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the key trust or certificate trust models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.

[!INCLUDE lab-based-pki-deploy]

Configure the enterprise PKI

[!INCLUDE dc-certificate-template]

[!INCLUDE dc-certificate-template-supersede]

[!INCLUDE web-server-certificate-template]

[!INCLUDE unpublish-superseded-templates]

Publish certificate templates to the CA

A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.

Sign in to the CA or management workstations with Enterprise Admin equivalent credentials.

1. Open the Certification Authority management console
2. Expand the parent node from the navigation pane
3. Select Certificate Templates in the navigation pane
4. Right-click the Certificate Templates node. Select New > Certificate Template to issue
5. In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos), and Internal Web Server templates you created in the previous steps. Select OK to publish the selected certificate templates to the certification authority
6. If you published the Domain Controller Authentication (Kerberos) certificate template, then unpublish the certificate templates you included in the superseded templates list
   • To unpublish a certificate template, right-click the certificate template you want to unpublish and select Delete. Select Yes to confirm the operation
7. Close the console

Configure and deploy certificates to domain controllers

[!INCLUDE dc-certificate-deployment]

Validate the configuration

[!INCLUDE dc-certificate-validate]

Section review and next steps

[!div class="checklist"] Before moving to the next section, ensure the following steps are complete:

• Configure domain controller and web server certificate templates
• Supersede existing domain controller certificates
• Unpublish superseded certificate templates
• Publish the certificate templates to the CA
• Deploy certificates to the domain controllers
• Validate the domain controllers configuration

[!div class="nextstepaction"] Next: prepare and deploy AD FS >