Windows Hello for Business Deployment Models 

Windows Hello for Business offers various deployment options that organizations can choose from. Though it may seem complex, most organizations will realize that they have already implemented most of the infrastructure necessary for the deployment.  

There are three deployment models available: cloud-only, hybrid, and on-premises. 

Cloud-Only Deployment Model

The exclusive reliance on cloud identities characterizes the cloud-only deployment model, tailored for organizations without on-premises resources. These entities connect their devices to the cloud, depending entirely on resources like SharePoint and OneDrive. 

Pros

• Streamlined Management

  Cloud-only deployments simplify management by utilizing cloud-based services for configuration, monitoring, and updates, alleviating the workload on IT administrators.

• Scalability

  Cloud solutions offer enhanced scalability, enabling organizations to effortlessly accommodate increasing numbers of users or devices without substantial infrastructure investments.

• Flexibility

  Cloud-only deployments afford flexibility in terms of device location and user access, allowing authentication from any location with an internet connection—particularly advantageous in remote or distributed work environments.

Cons

• Dependency on Internet Connection

  Cloud-only deployments heavily rely on internet connectivity, making users’ ability to authenticate vulnerable to disruptions in workflow during internet issues.

• Security Concerns

  Some organizations express apprehensions about relying solely on the cloud for sensitive authentication data, despite robust security measures employed by Microsoft.

• Data Privacy and Compliance

  Concerns about data privacy and compliance may arise, especially for organizations handling biometric data stored in the cloud.

On-Premises Deployment Model

Exclusively designed for enterprises utilizing on-premises Active Directory, the on-premises deployment model does not involve cloud identities or applications hosted in Microsoft Entra ID. 

Pros

• Local Control

  On-premises deployments provide direct control over the entire Windows Hello for Business infrastructure, a crucial aspect for organizations with specific security and compliance requirements.

• Data Residency

  Some organizations prefer keeping authentication data within their own data centers for regulatory reasons, ensuring control over data residency.

• Reduced Dependency on Internet Connectivity

  On-premises deployments mitigate reliance on constant Internet connectivity, allowing authentication processes to continue even during temporary disruptions in Internet access.

Cons

• Limited Remote Access

  Challenges may arise for remote access scenarios, with users outside the organization’s network experiencing limitations, necessitating additional solutions for remote workforce scenarios.

• Complexity of Maintenance

  Managing on-premises infrastructure demands dedicated resources for maintenance, updates, and troubleshooting, introducing complexity and requiring skilled IT staff.

• Scalability Challenges

  Scaling on-premises infrastructure for a growing user base may involve significant upfront investments and planning compared to cloud-based solutions.

Hybrid Deployment Model

Tailored for organizations federated with Microsoft Entra ID, the hybrid deployment model involves synchronized identities and applications hosted in Microsoft Entra ID. It aims to provide a unified single sign-on user experience for both on-premises and Microsoft Entra resources. 

Pros

• Flexibility

  Hybrid deployments strike a balance between on-premises control and cloud flexibility, suitable for organizations integrating modern authentication methods with existing on-premises infrastructure.

• Local Control

  On-premises components grant local control over specific authentication aspects, such as device registration, certificate authorities, and key storage—crucial for organizations with specific security and compliance requirements.

• Compliance Options

  Organizations can address compliance and data residency concerns by carefully managing where certain authentication data is stored and processed, whether on-premises or in the cloud.

Cons

• Complexity of Configuration

  Setting up and configuring a hybrid deployment can be more intricate than opting for a purely on-premises or cloud-based solution, requiring meticulous planning for optimal functionality and seamless integration.

• Dependency on Internet Connectivity

  Similar to cloud-only deployments, a Windows Hello hybrid model relies on Internet connectivity for specific authentication processes, making the user experience susceptible to connectivity issues.

• Management Overhead

  Managing a hybrid deployment necessitates expertise in both on-premises and cloud technologies, adding to the complexity as IT administrators monitor and maintain components in both environments.

Trust Models

The trust model plays a pivotal role in determining the user authentication method for the on-premises Active Directory. Three trust models are supported in a hybrid environment: Key Trust, Certificate Trust, and Cloud Kerberos Trust. On-premises deployment models support Key Trust and Certificate Trust only. 

1. Key Trust Model

   The key trust type eliminates the need to issue authentication certificates to end users. Users authenticate using a hardware-bound key generated during the built-in provisioning experience.

2. Certificate Trust Model

   The certificate trust type involves issuing authentication certificates to end users. Users request a certificate using a hardware-bound key created during the built-in provisioning experience for authentication.

3. Cloud Kerberos Trust Model

   The Windows Hello for Business cloud Kerberos trust employs Microsoft Entra Kerberos, streamlining deployment in comparison to the key trust model.

Comparison between the trust models

The table below highlights the key differences between the Cloud Kerberos Trust Model, Certificate Trust Model and the Key Trust Model. 

Criteria	Cloud Kerberos Trust Model	Certificate Trust Model	Key Trust Model
User Authentication	Using Microsoft Entra Kerberos, users request a Ticket Granting Ticket from Microsoft Entra ID for authentication.	Users require a certificate, requested using a device-bound key, for authentication.	Users use a device-bound key for authentication.
Deployment model	Supported by Hybrid deployment model only	Supported by Hybrid and on-premises deployment model	Supported by Hybrid and on-premises deployment model
PKI requirement	PKI is not required	PKI is required	PKI is required

Comparison between the deployment models

This table provides a comparison of key features across the three Windows Hello deployment models. Organizations should carefully evaluate their requirements to determine the most suitable deployment approach. 

Feature	On-Premises Deployment	Cloud-Only Deployment	Hybrid Deployment
Control and Management	Local control over infrastructure and data.	Managed through cloud-based services.	Balance between on-premises control and cloud flexibility.
Data Residency	Authentication data stored on-premises.	Authentication data stored in the cloud.	On-premises registration with cloud-based storage.
Integration with Infrastructure	Integrates with on-premises Active Directory and systems.	Relies on Azure Active Directory for authentication.	Seamless integration with Entra ID for authentication.
Scalability	Scaling may require significant upfront investments.	More scalable with minimal infrastructure investments.	Authentication data is stored in the cloud.

Conclusion

Windows Hello for Business provides organizations with diverse deployment options, each tailored to specific needs. It aims to enable deployments for organizations irrespective of their size or scenario.

The three models—Cloud-Only, On-Premises, and Hybrid—offer unique benefits and considerations, emphasizing the importance of aligning choices with security, compliance, and scalability requirements. The trust models—Key Trust, Certificate Trust, and Cloud Kerberos Trust—further refine authentication methods, allowing organizations to balance control and flexibility based on their unique circumstances.