Table of Content

Key Management Interoperability Protocol

Cybersecurity Frameworks

Windows Hello for Business Deployment Models 

Windows Hello different deployment models

Windows Hello for Business offers various deployment options that organizations can choose from. Though it may seem complex, most organizations will realize that they have already implemented most of the infrastructure necessary for the deployment.  

There are three deployment models available: cloud-only, hybrid, and on-premises. 

Cloud-Only Deployment Model

The exclusive reliance on cloud identities characterizes the cloud-only deployment model, tailored for organizations without on-premises resources. These entities connect their devices to the cloud, depending entirely on resources like SharePoint and OneDrive. 


  • Streamlined Management

    Cloud-only deployments simplify management by utilizing cloud-based services for configuration, monitoring, and updates, alleviating the workload on IT administrators.

  • Scalability

    Cloud solutions offer enhanced scalability, enabling organizations to effortlessly accommodate increasing numbers of users or devices without substantial infrastructure investments.

  • Flexibility

    Cloud-only deployments afford flexibility in terms of device location and user access, allowing authentication from any location with an internet connection—particularly advantageous in remote or distributed work environments.


  • Dependency on Internet Connection

    Cloud-only deployments heavily rely on internet connectivity, making users’ ability to authenticate vulnerable to disruptions in workflow during internet issues.

  • Security Concerns

    Some organizations express apprehensions about relying solely on the cloud for sensitive authentication data, despite robust security measures employed by Microsoft.

  • Data Privacy and Compliance

    Concerns about data privacy and compliance may arise, especially for organizations handling biometric data stored in the cloud.

On-Premises Deployment Model

Exclusively designed for enterprises utilizing on-premises Active Directory, the on-premises deployment model does not involve cloud identities or applications hosted in Microsoft Entra ID. 


  • Local Control

    On-premises deployments provide direct control over the entire Windows Hello for Business infrastructure, a crucial aspect for organizations with specific security and compliance requirements.

  • Data Residency

    Some organizations prefer keeping authentication data within their own data centers for regulatory reasons, ensuring control over data residency.

  • Reduced Dependency on Internet Connectivity

    On-premises deployments mitigate reliance on constant Internet connectivity, allowing authentication processes to continue even during temporary disruptions in Internet access.


  • Limited Remote Access

    Challenges may arise for remote access scenarios, with users outside the organization’s network experiencing limitations, necessitating additional solutions for remote workforce scenarios.

  • Complexity of Maintenance

    Managing on-premises infrastructure demands dedicated resources for maintenance, updates, and troubleshooting, introducing complexity and requiring skilled IT staff.

  • Scalability Challenges

    Scaling on-premises infrastructure for a growing user base may involve significant upfront investments and planning compared to cloud-based solutions.

Hybrid Deployment Model

Tailored for organizations federated with Microsoft Entra ID, the hybrid deployment model involves synchronized identities and applications hosted in Microsoft Entra ID. It aims to provide a unified single sign-on user experience for both on-premises and Microsoft Entra resources. 


  • Flexibility

    Hybrid deployments strike a balance between on-premises control and cloud flexibility, suitable for organizations integrating modern authentication methods with existing on-premises infrastructure.

  • Local Control

    On-premises components grant local control over specific authentication aspects, such as device registration, certificate authorities, and key storage—crucial for organizations with specific security and compliance requirements.

  • Compliance Options

    Organizations can address compliance and data residency concerns by carefully managing where certain authentication data is stored and processed, whether on-premises or in the cloud.


  • Complexity of Configuration

    Setting up and configuring a hybrid deployment can be more intricate than opting for a purely on-premises or cloud-based solution, requiring meticulous planning for optimal functionality and seamless integration.

  • Dependency on Internet Connectivity

    Similar to cloud-only deployments, a Windows Hello hybrid model relies on Internet connectivity for specific authentication processes, making the user experience susceptible to connectivity issues.

  • Management Overhead

    Managing a hybrid deployment necessitates expertise in both on-premises and cloud technologies, adding to the complexity as IT administrators monitor and maintain components in both environments.

Trust Models

The trust model plays a pivotal role in determining the user authentication method for the on-premises Active Directory. Three trust models are supported in a hybrid environment: Key Trust, Certificate Trust, and Cloud Kerberos Trust. On-premises deployment models support Key Trust and Certificate Trust only. 

  1. Key Trust Model

    The key trust type eliminates the need to issue authentication certificates to end users. Users authenticate using a hardware-bound key generated during the built-in provisioning experience.

  2. Certificate Trust Model

    The certificate trust type involves issuing authentication certificates to end users. Users request a certificate using a hardware-bound key created during the built-in provisioning experience for authentication.

  3. Cloud Kerberos Trust Model

    The Windows Hello for Business cloud Kerberos trust employs Microsoft Entra Kerberos, streamlining deployment in comparison to the key trust model.

Comparison between the trust models

The table below highlights the key differences between the Cloud Kerberos Trust Model, Certificate Trust Model and the Key Trust Model. 

Criteria Cloud Kerberos Trust Model  Certificate Trust Model Key Trust Model 
User Authentication Using Microsoft Entra Kerberos, users request a Ticket Granting Ticket from Microsoft Entra ID for authentication. Users require a certificate, requested using a device-bound key, for authentication. 
Users use a device-bound key for authentication. 
Deployment model Supported by Hybrid deployment model only Supported by Hybrid and on-premises deployment model Supported by Hybrid and on-premises deployment model 
PKI requirement PKI is not required PKI is required PKI is required 

Comparison between the deployment models

This table provides a comparison of key features across the three Windows Hello deployment models. Organizations should carefully evaluate their requirements to determine the most suitable deployment approach. 

Feature On-Premises Deployment Cloud-Only Deployment Hybrid Deployment 
Control and Management Local control over infrastructure and data. Managed through cloud-based services. Balance between on-premises control and cloud flexibility. 
Data Residency Authentication data stored on-premises. Authentication data stored in the cloud. On-premises registration with cloud-based storage. 
Integration with Infrastructure Integrates with on-premises Active Directory and systems. Relies on Azure Active Directory for authentication. Seamless integration with Entra ID for authentication. 
Scalability Scaling may require significant upfront investments. More scalable with minimal infrastructure investments. Authentication data is stored in the cloud. 


Windows Hello for Business provides organizations with diverse deployment options, each tailored to specific needs. It aims to enable deployments for organizations irrespective of their size or scenario.

The three models—Cloud-Only, On-Premises, and Hybrid—offer unique benefits and considerations, emphasizing the importance of aligning choices with security, compliance, and scalability requirements. The trust models—Key Trust, Certificate Trust, and Cloud Kerberos Trust—further refine authentication methods, allowing organizations to balance control and flexibility based on their unique circumstances. 

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo