Windows Hello for Business Deployment Models
Key Sections
Windows Hello for Business offers various deployment options that organizations can choose from. Though it may seem complex, most organizations will realize that they have already implemented most of the infrastructure necessary for the deployment.
There are three deployment models available: cloud-only, hybrid, and on-premises.
Cloud-Only Deployment Model
The exclusive reliance on cloud identities characterizes the cloud-only deployment model, tailored for organizations without on-premises resources. These entities connect their devices to the cloud, depending entirely on resources like SharePoint and OneDrive.
Pros
-
Streamlined Management
Cloud-only deployments simplify management by utilizing cloud-based services for configuration, monitoring, and updates, alleviating the workload on IT administrators.
-
Scalability
Cloud solutions offer enhanced scalability, enabling organizations to effortlessly accommodate increasing numbers of users or devices without substantial infrastructure investments.
-
Flexibility
Cloud-only deployments afford flexibility in terms of device location and user access, allowing authentication from any location with an internet connection—particularly advantageous in remote or distributed work environments.
Cons
-
Dependency on Internet Connection
Cloud-only deployments heavily rely on internet connectivity, making users’ ability to authenticate vulnerable to disruptions in workflow during internet issues.
-
Security Concerns
Some organizations express apprehensions about relying solely on the cloud for sensitive authentication data, despite robust security measures employed by Microsoft.
-
Data Privacy and Compliance
Concerns about data privacy and compliance may arise, especially for organizations handling biometric data stored in the cloud.
On-Premises Deployment Model
Exclusively designed for enterprises utilizing on-premises Active Directory, the on-premises deployment model does not involve cloud identities or applications hosted in Microsoft Entra ID.
Pros
-
Local Control
On-premises deployments provide direct control over the entire Windows Hello for Business infrastructure, a crucial aspect for organizations with specific security and compliance requirements.
-
Data Residency
Some organizations prefer keeping authentication data within their own data centers for regulatory reasons, ensuring control over data residency.
-
Reduced Dependency on Internet Connectivity
On-premises deployments mitigate reliance on constant Internet connectivity, allowing authentication processes to continue even during temporary disruptions in Internet access.
Cons
-
Limited Remote Access
Challenges may arise for remote access scenarios, with users outside the organization’s network experiencing limitations, necessitating additional solutions for remote workforce scenarios.
-
Complexity of Maintenance
Managing on-premises infrastructure demands dedicated resources for maintenance, updates, and troubleshooting, introducing complexity and requiring skilled IT staff.
-
Scalability Challenges
Scaling on-premises infrastructure for a growing user base may involve significant upfront investments and planning compared to cloud-based solutions.
Hybrid Deployment Model
Tailored for organizations federated with Microsoft Entra ID, the hybrid deployment model involves synchronized identities and applications hosted in Microsoft Entra ID. It aims to provide a unified single sign-on user experience for both on-premises and Microsoft Entra resources.
Pros
-
Flexibility
Hybrid deployments strike a balance between on-premises control and cloud flexibility, suitable for organizations integrating modern authentication methods with existing on-premises infrastructure.
-
Local Control
On-premises components grant local control over specific authentication aspects, such as device registration, certificate authorities, and key storage—crucial for organizations with specific security and compliance requirements.
-
Compliance Options
Organizations can address compliance and data residency concerns by carefully managing where certain authentication data is stored and processed, whether on-premises or in the cloud.
Cons
-
Complexity of Configuration
Setting up and configuring a hybrid deployment can be more intricate than opting for a purely on-premises or cloud-based solution, requiring meticulous planning for optimal functionality and seamless integration.
-
Dependency on Internet Connectivity
Similar to cloud-only deployments, a Windows Hello hybrid model relies on Internet connectivity for specific authentication processes, making the user experience susceptible to connectivity issues.
-
Management Overhead
Managing a hybrid deployment necessitates expertise in both on-premises and cloud technologies, adding to the complexity as IT administrators monitor and maintain components in both environments.
Trust Models
The trust model plays a pivotal role in determining the user authentication method for the on-premises Active Directory. Three trust models are supported in a hybrid environment: Key Trust, Certificate Trust, and Cloud Kerberos Trust. On-premises deployment models support Key Trust and Certificate Trust only.
-
Key Trust Model
The key trust type eliminates the need to issue authentication certificates to end users. Users authenticate using a hardware-bound key generated during the built-in provisioning experience.
-
Certificate Trust Model
The certificate trust type involves issuing authentication certificates to end users. Users request a certificate using a hardware-bound key created during the built-in provisioning experience for authentication.
-
Cloud Kerberos Trust Model
The Windows Hello for Business cloud Kerberos trust employs Microsoft Entra Kerberos, streamlining deployment in comparison to the key trust model.
Comparison between the trust models
The table below highlights the key differences between the Cloud Kerberos Trust Model, Certificate Trust Model and the Key Trust Model.
| Criteria | Cloud Kerberos Trust Model | Certificate Trust Model | Key Trust Model |
| User Authentication | Using Microsoft Entra Kerberos, users request a Ticket Granting Ticket from Microsoft Entra ID for authentication. | Users require a certificate, requested using a device-bound key, for authentication. | Users use a device-bound key for authentication. |
| Deployment model | Supported by Hybrid deployment model only | Supported by Hybrid and on-premises deployment model | Supported by Hybrid and on-premises deployment model |
| PKI requirement | PKI is not required | PKI is required | PKI is required |
Comparison between the deployment models
This table provides a comparison of key features across the three Windows Hello deployment models. Organizations should carefully evaluate their requirements to determine the most suitable deployment approach.
| Feature | On-Premises Deployment | Cloud-Only Deployment | Hybrid Deployment |
| Control and Management | Local control over infrastructure and data. | Managed through cloud-based services. | Balance between on-premises control and cloud flexibility. |
| Data Residency | Authentication data stored on-premises. | Authentication data stored in the cloud. | On-premises registration with cloud-based storage. |
| Integration with Infrastructure | Integrates with on-premises Active Directory and systems. | Relies on Azure Active Directory for authentication. | Seamless integration with Entra ID for authentication. |
| Scalability | Scaling may require significant upfront investments. | More scalable with minimal infrastructure investments. | Authentication data is stored in the cloud. |
Conclusion
Windows Hello for Business provides organizations with diverse deployment options, each tailored to specific needs. It aims to enable deployments for organizations irrespective of their size or scenario.
The three models—Cloud-Only, On-Premises, and Hybrid—offer unique benefits and considerations, emphasizing the importance of aligning choices with security, compliance, and scalability requirements. The trust models—Key Trust, Certificate Trust, and Cloud Kerberos Trust—further refine authentication methods, allowing organizations to balance control and flexibility based on their unique circumstances.
