Configure Directory Synchronization for Hybrid key trust Windows Hello for Business

Applies to

  • Windows 10, version 1703 or later
  • Hybrid deployment
  • Key trust

You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.

Deploy Azure AD Connect

Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the Integrating on-prem directories with Azure Active Directory and hardware and prerequisites needed and then download the software.


If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.

Follow the Windows Hello for Business hybrid key trust deployment guide

  1. Overview
  2. Prerequisites
  3. New Installation Baseline
  4. Configure Directory Synchronization (You are here)
  5. Configure Azure Device Registration
  6. Configure Windows Hello for Business settings
  7. Sign-in and Provision