Windows Hello for Business is an enterprise login tool that verifies identity with biometrics: facial recognition or fingerprints. This eliminates the need to enter passwords, which saves time & hassle and increases employees’ productivity. Last week, Microsoft announced its Windows Hello for Business cloud trust, which applies to hybrid environments. This new authentication model considerably simplifies the deployment of passwordless login in hybrid scenarios, and it’s in preview now.
Simplifying Deployment with Windows Hello for Business Cloud Trust
On-premises single sign-on (SSO) with passwordless security keys makes employee login experiences in traditional workplaces simple and seamless. Until now, Windows Hello for Business has provided strong authentication either through an asymmetric key pair (the key trust method) or a user certificate (the certificate trust method)—both of which require a complicated deployment process. The addition of a new cloud trust method brings together the benefits of these resources without that hassle in setting it up. It can be be used for new deployments or administrators can switch existing ones to this model with policy controls.
Differences Between Key Trust, Certificate Trust, and Cloud Trust
All of these deployment models pertain to hybrid environments that include some on-premises credential verification. The key trust model does on-prem authentication through built-in Azure AD certificates with Kerberos in order to retrieve ticket-granting-tickets (TGTs). It requires public key infrastructure (PKI) and an adequate number of 2016 domain controllers to support authentication, as well as Active Directory Certificate Services. Certificate trust is similar to key trust but also offers certificates to end users (with possibilities of expiration and renewal), and it requires additional device registration at setup.
Cloud trust does not issue certificates and doesn’t require Active Directory Certificate Services. Since it doesn’t use public key infrastructure, there’s no need to deploy that or make any changes to existing PKI. This also means it doesn’t require the syncing of public keys between Azure AD and on-premises domain controllers. Users can access on-premises applications and resources without any delay between provisioning and authentication. Cloud trust is the new recommended method of deployment when certificates are not needed, replacing the key trust method as the default recommendation. But there are some prerequisites to using this model, and some scenarios won’t work with it.
Prerequisites for Cloud Trust
These are the requirements for deploying Windows Hello for Business cloud trust:
- Windows 11 and later operating system, or Windows 10 version 21H2
- Windows Server 2016 or later domain controllers
- All operating systems and domain controllers fully patched
- Use of multi-factor authentication
- Azure AD Kerberos PowerShell module
- Device management through group policy or mobile device management (MDM) policy
For more details on prerequisites, see Microsoft’s Deployment Prerequisite Overview.
Unsupported Scenarios
There are a few scenarios where you can’t use Windows Hello for Business cloud trust. These are:
- Fully on-premises environments
- Scenarios that require a certificate for authentication
- RDP/VDI scenarios using supplied credentials
- Use of cloud trust for “Run as”
- Sign-in with cloud trust on a Hybrid Azure AD joined device without prior signing in with DC connectivity
Try Out Windows Hello for Business Cloud Trust
In any Windows Hello for Business setup, users will experience the same easy process when they log in to applications. The differences are on the administrators’ side, particularly in the deployment process.
Ready to check out this preview and deploy Windows Hello for Business more easily? Follow these deployment instructions.
More recent Microsoft news: