Requirements per Windows Hello for Business Deployment Type

Reading Time: < 1 minute

Microsoft Passwordless with Windows Hello for Business

Windows Hello for Business is awesome technology, that allows for multi-factor authenticated sign-in on Windows 10 devices.


About Windows Hello for Business

In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.

Windows Hello addresses the following problems with passwords:

  • Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
  • Server breaches can expose symmetric network credentials (passwords).
  • Passwords are subject to replay attacks.
  • Users can inadvertently expose their passwords due to phishing attacks.



There are five deployment types for Windows Hello for Business. Microsoft has described them in detail in the Windows Hello for Business Deployment Guide.

However, one of the pieces of documentation that I feel is missing from the deployment guide is an overview of the requirements per Windows Hello for Business deployment type.

The below table shows the requirements per Windows Hello for Business Deployment Type:

Azure AD Join - Certificate Trust - Key Trust - Azure AD Connect - NDES - Windows Server 2016 Domain Controllers - MFA - Device Registration service - Windows 10 1703 - Microsoft Intune

5 Responses to Requirements per Windows Hello for Business Deployment Type


    Could you share us the steps to setup On premise key trust hello for business


    Why does Windows Hello for Business require an internet conection in an on-premises Key trust deployment?


    The Microsoft Docs state that ADFS can be at server 2012 R2 or newer, but your table shows the need for FBL to be at 2016 or newer.

    Can you explain this for me?

    • To use the built-in Azure multi-factor authentication adapter, The AD FS farm needs to run the Windows Server 2016 Farm Behavioral Level (FBL), or up.
      As new implementations with Azure MFA Server are no longer possible, the Windows Server 2016 FBL is effectively the minimum requirement, as stated in the 'Multifactor Authentication' section of the same Microsoft Docs page.


leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.