Windows Hello for Business Key Trust New Installation
- Windows 10, version 1703 or later
- Hybrid deployment
- Key trust
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
- Active Directory
- Public Key Infrastructure
- Azure Active Directory
- Multifactor Authentication Services
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the Configure Directory Synchronization section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
This document expects you have Active Directory deployed with an adequate number of Windows Server 2016 domain controllers for each site. Read the Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments to learn more.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
- An adequate number of Windows Server 2016 domain controllers
- Minimum Windows Server 2008 R2 domain and forest functional level
- Functional networking, name resolution, and Active Directory replication
Public Key Infrastructure
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
Lab-based public key infrastructure
The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
Sign-in using Enterprise Admin equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
Never install a certificate authority on a domain controller in a production environment.
Open an elevated Windows PowerShell prompt.
Use the following command to install the Active Directory Certificate Services role.
add-windowsfeature adcs-cert-authority -IncludeManagementTools
Use the following command to configure the Certificate Authority using a basic certificate authority configuration.
Configure a Production Public Key Infrastructure
If you do not have an existing public key infrastructure, please review Certification Authority Guidance from Microsoft TechNet to properly design your infrastructure. Then, consult the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy for instructions on how to configure your public key infrastructure using the information from your design session.
For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
- Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
- Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
- Minimum Windows Server 2012 Certificate Authority.
- Enterprise Certificate Authority.
- Functioning public key infrastructure.
- Root certificate authority certificate (Azure AD Joined devices).
- Highly available certificate revocation list (Azure AD Joined devices).
Azure Active Directory
You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the Creating an Azure AD tenant process to provision an Azure tenant for your organization.
- Review the different ways to establish an Azure Active Directory tenant.
- Create an Azure Active Directory Tenant.
- Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
Review the What is Azure Multi-Factor Authentication topic to familiarize yourself its purpose and how it works.
Azure Multi-Factor Authentication (MFA) Cloud
As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
- Azure Multi-Factor Authentication
- Azure Active Directory Premium
- Enterprise Mobility + Security
If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the Create a Multifactor Authentication Provider section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the Configure Azure Multi-Factor Authentication settings section to configure your settings.
Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review configure User States to understand user states. User states determine how you enable Azure MFA for your users.
Azure MFA via ADFS
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the Configure AD FS 2016 and Azure MFA section.
- Review the overview and uses of Azure Multifactor Authentication.
- Review your Azure Active Directory subscription for Azure Multifactor Authentication.
- Create an Azure Multifactor Authentication Provider, if necessary.
- Configure Azure Multifactor Authentication features and settings.
- Understand the different User States and their effect on Azure Multifactor Authentication.
- Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
Follow the Windows Hello for Business hybrid key trust deployment guide
Send feedback about: