What is Windows Hello for business on premises?
Daniel Foster
Published Feb 22, 2026
What is Windows Hello for business on premises?
The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
Is the Windows Hello for business service included in Active Directory?
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
Do you need a certificate for Windows Hello for business?
However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority.
Do you need federation server for Windows Hello for business?
Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
What kind of premises do you need for a small business?
Read more about finding the right premises to lease. Depending on the nature of your business, you may consider using co-working spaces or business incubators. These office locations offer short to medium term accommodation for business start-ups. They generally provide access to a work space, meeting rooms and telephone services for a fee.
How does Windows Hello for business certificate work?
This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
Is there an AIK certificate for Windows Hello for business?
Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
