<!DOCTYPE html><html class="hasSidebar hasPageActions hasBreadcrumb conceptual has-default-focus theme-light" lang="en-us" dir="ltr" data-authenticated="false" data-auth-status-determined="false" data-target="docs" x-ms-format-detection="none"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta property="og:title" content="Plan a Windows Hello for Business Deployment" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/" /><meta property="og:description" content="Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure." /><meta property="og:image" content="https://learn.microsoft.com/en-us/media/open-graph-image.png" /> <meta property="og:image:alt" content="Microsoft Learn" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@MicrosoftLearn" /> <meta name="color-scheme" content="light dark"><meta name="adobe-target" content="true" /> <meta name="author" content="paolomatarazzo" /> <meta name="breadcrumb_path" content="/windows/resources/breadcrumb/toc.json" /> <meta name="depot_name" content="TechNet.windows-security" /> <meta name="description" content="Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure." /> <meta name="document_id" content="c7818df0-7223-6ebe-1829-ebd8ac16ca8e" /> <meta name="document_version_independent_id" content="c7818df0-7223-6ebe-1829-ebd8ac16ca8e" /> <meta name="feedback_help_link_type" content="" /> <meta name="feedback_help_link_url" content="" /> <meta name="feedback_product_url" content="https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332" /> <meta name="feedback_system" content="Standard" /> <meta name="git_commit_id" content="1d19f98f7fefcc326e4f74b0870d1045dd804f9d" /> <meta name="gitcommit" content="https://github.com/MicrosoftDocs/windows-docs-pr/blob/1d19f98f7fefcc326e4f74b0870d1045dd804f9d/windows/security/identity-protection/hello-for-business/deploy/index.md" /> <meta name="locale" content="en-us" /> <meta name="manager" content="aaroncz" /> <meta name="ms.author" content="paoloma" /> <meta name="ms.collection" content="tier2" /> <meta name="ms.date" content="10/30/2024" /> <meta name="ms.localizationpriority" content="medium" /> <meta name="ms.service" content="windows-client" /> <meta name="ms.subservice" content="itpro-security" /> <meta name="ms.topic" content="concept-article" /> <meta name="original_content_git_url" content="https://github.com/MicrosoftDocs/windows-docs-pr/blob/live/windows/security/identity-protection/hello-for-business/deploy/index.md" /> <meta name="page_type" content="conceptual" /> <meta name="pdf_url_template" content="https://learn.microsoft.com/pdfstore/en-us/TechNet.windows-security/{branchName}{pdfName}" /> <meta name="recommendations" content="true" /> <meta name="schema" content="Conceptual" /> <meta name="site_name" content="Docs" /> <meta name="toc_rel" content="../../../toc.json" /> <meta name="uhfHeaderId" content="MSDocsHeader-Windows" /> <meta name="updated_at" content="2024-10-31 10:48 PM" /> <meta name="word_count" content="2632" /> <meta name="persistent_id" content="5f9a436d-1037-ca90-f9d1-7dca9683d36c" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/1433a524-c01f-4b87-beab-670c040dea4f" data-source="generated" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/798bd9d1-9cc5-4fc7-b0e5-8699d1f6ce2a" data-source="generated" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/57eae307-c3a1-4cac-b645-1a899934bac8" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/312f1f05-a431-4193-8a4d-e6245d5966de" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/b5dc5f65-34a8-4bfc-9917-97d1e20c88b2" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/ee561821-1ac7-45a8-9409-6ba5eb7a5b97" data-source="generated" /> <meta name="scope" content="Windows 10" /><meta name="github_feedback_content_git_url" content="https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/identity-protection/hello-for-business/deploy/index.md" /><link href="https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/" rel="canonical"><title>Plan a Windows Hello for Business Deployment | Microsoft Learn</title><link rel="stylesheet" href="/static/assets/0.4.028726178/styles/site-ltr.css"> <script id="msdocs-script"> var msDocs = {environment: { supportLevel: 'production', accessLevel: 'online', reviewFeatures: false, systemContent: true, azurePortalHostname: 'portal.azure.com', legacyHosting: false, siteName: 'learn', },data: { timeOrigin: Date.now(), contentLocale: 'en-us', contentDir: 'ltr', userLocale: 'en-us', userDir: 'ltr', pageTemplate: 'Conceptual', brand: '', context: {}, hasBinaryRating: true, feedbackHelpLinkType:'', feedbackHelpLinkUrl:'', standardFeedback: true, showFeedbackReport: false, enableTutorialFeedback: false, feedbackSystem: 'Standard', feedbackGitHubRepo: '', feedbackProductUrl: 'https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332',extendBreadcrumb: false,isEditDisplayable: true, hideViewSource: false, hasPageActions: true, hasPrintButton: true, hasBookmark: true, hasShare: true, isPermissioned: false, isPrivateUnauthorized: false,hasRecommendations: true,contributors: [{ name: "paolomatarazzo", url: "https://github.com/paolomatarazzo" },{ name: "mikurii", url: "https://github.com/mikurii" }],}, functions:{} }; </script><script src="https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js"></script> <script src="https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js"></script><script src="/static/assets/0.4.028726178/global/deprecation.js"></script><link rel="preconnect" href="//mscom.demdex.net" crossorigin> <link rel="dns-prefetch" href="//target.microsoft.com"> <link rel="dns-prefetch" href="//microsoftmscompoc.tt.omtrdc.net"> <link rel="preload" as="script" href="/static/third-party/adobe-target/at-js/2.9.0/at.js" integrity="sha384-1/viVM50hgc33O2gOgkWz3EjiD/Fy/ld1dKYXJRUyjNYVEjSUGcSN+iPiQF7e4cu" crossorigin="anonymous" id="adobe-target-script" type="application/javascript" /><script src="/static/assets/0.4.028726178/scripts/en-us/index-docs.js"></script></head> <body lang="en-us" dir="ltr"> <div class="header-holder has-default-focus"> <a href="#main" style="z-index: 1070" class="outline-color-text visually-hidden-until-focused position-fixed inner-focus focus-visible top-0 left-0 right-0 padding-xs text-align-center has-body-background" tabindex="1">Skip to main content</a><div hidden id="cookie-consent-holder" data-test-id="cookie-consent-container"></div> <div id="unsupported-browser" style=" background-color: white; color: black; padding: 16px; border-bottom: 1px solid grey;" hidden > <div style="max-width: 800px; margin: 0 auto;"> <p style="font-size: 24px">This browser is no longer supported.</p> <p style="font-size: 16px; margin-top: 16px;">Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.</p> <div style="margin-top: 12px;"> <a href="https://go.microsoft.com/fwlink/p/?LinkID=2092881 " style=" background-color: #0078d4; border: 1px solid #0078d4; color: white; padding: 6px 12px; border-radius: 2px; display: inline-block; ">Download Microsoft Edge</a> <a href="https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge" style=" background-color: white; padding: 6px 12px; border: 1px solid #505050; color: #171717; border-radius: 2px; display: inline-block; ">More info about Internet Explorer and Microsoft Edge</a> </div> </div> </div> <!-- liquid-tag banners global --> <!-- site header --> <header id="ms--site-header" data-test-id="site-header-wrapper" role="banner" itemscope="itemscope" itemtype="http://schema.org/Organization"> <div id="ms--mobile-nav" class="site-header display-none-tablet padding-inline-none gap-none" data-bi-name="mobile-header" data-test-id="mobile-header"></div> <div id="ms--primary-nav" class="site-header display-none display-flex-tablet" data-bi-name="L1-header" data-test-id="primary-header"></div> <div id="ms--secondary-nav" class="site-header display-none display-flex-tablet" data-bi-name="L2-header" data-test-id="secondary-header"></div> </header><div id="content-header" class="content-header uhf-container has-padding has-default-focus border-bottom-none" data-bi-name="content-header"> <div class="content-header-controls margin-xxs margin-inline-sm-tablet"> <button type="button" class="contents-button button button-sm margin-right-xxs" data-bi-name="contents-expand" aria-haspopup="true" data-contents-button> <span class="icon"><span class="docon docon-menu" aria-hidden="true"></span></span> <span class="contents-expand-title">Table of contents</span> </button> <button type="button" class="ap-collapse-behavior ap-expanded button button-sm" data-bi-name="ap-collapse" aria-controls="action-panel"> <span class="icon"><span class="docon docon-exit-mode" aria-hidden="true"></span></span> <span>Exit focus mode</span> </button> </div> </div><div id="disclaimer-holder" class="has-overflow-hidden has-default-focus"> <!-- liquid-tag banners sectional --> </div> </div> <div class="mainContainer uhf-container has-default-focus" data-bi-name="body"> <div class="columns has-large-gaps is-gapless-mobile "><div id="left-container" class="left-container is-hidden-mobile column is-one-third-tablet is-one-quarter-desktop"> <nav id="affixed-left-container" class="margin-top-sm-tablet position-sticky display-flex flex-direction-column" aria-label="Primary"></nav> </div><!-- .primary-holder --> <section class="primary-holder column is-two-thirds-tablet is-three-quarters-desktop"> <!--div.columns --> <div class="columns is-gapless-mobile has-large-gaps "><div id="main-column" class="column is-full is-8-desktop"> <main id="main" class="" role="main" data-bi-name="content" lang="en-us" dir="ltr"><!-- article-header --> <div id="article-header" class="background-color-body margin-top-sm-tablet margin-bottom-xs display-none-print"> <div class="display-flex align-items-center "><details id="article-header-breadcrumbs-overflow-popover" class="popover" data-for="article-header-breadcrumbs"> <summary class="button button-clear button-primary button-sm inner-focus" aria-label="All breadcrumbs"> <span class="icon"> <span class="docon docon-more"></span> </span> </summary> <div id="article-header-breadcrumbs-overflow" class="popover-content padding-none"> </div> </details> <bread-crumbs id="article-header-breadcrumbs" data-test-id="article-header-breadcrumbs" class="overflow-hidden flex-grow-1 margin-right-sm margin-right-md-tablet margin-right-lg-desktop margin-left-negative-xxs padding-left-xxs"></bread-crumbs><div id="article-header-page-actions" class="opacity-none margin-left-auto display-flex flex-wrap-no-wrap align-items-stretch"><a id="lang-link-tablet" class="button button-primary button-clear button-sm display-none display-inline-flex-tablet" title="Read in English" data-bi-name="language-toggle" data-read-in-link hidden> <span class="icon margin-none" aria-hidden="true" data-read-in-link-icon> <span class="docon docon-locale-globe"></span> </span> <span class="is-visually-hidden" data-read-in-link-text>Read in English</span> </a><button type="button" class="collection button button-clear button-sm button-primary display-none display-inline-flex-tablet" data-list-type="collection" data-bi-name="collection" title="Add to collection"> <span class="icon margin-none" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="collection-status is-visually-hidden">Save</span> </button><a data-contenteditbtn class="button button-clear button-sm text-decoration-none button-primary display-none display-inline-flex-tablet" aria-label="Edit" title="Edit This Document" data-bi-name="edit" href="https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/identity-protection/hello-for-business/deploy/index.md" data-original_content_git_url="https://github.com/MicrosoftDocs/windows-docs-pr/blob/live/windows/security/identity-protection/hello-for-business/deploy/index.md" data-original_content_git_url_template="{repo}/blob/{branch}/windows/security/identity-protection/hello-for-business/deploy/index.md" data-pr_repo="" data-pr_branch=""> <span class="icon margin-none" aria-hidden="true"> <span class="docon docon-edit-outline"></span> </span> </a> <details class="popover popover-right" id="article-header-page-actions-overflow"> <summary class="justify-content-flex-start button button-clear button-sm button-primary" aria-label="More actions" title="More actions"> <span class="icon" aria-hidden="true"> <span class="docon docon-more-vertical"></span> </span> </summary> <div class="popover-content padding-xs"><button data-page-action-item="overflow-mobile" type="button" class="justify-content-flex-start button-block button-sm has-inner-focus button button-clear display-none-tablet" data-bi-name="contents-expand" data-contents-button data-popover-close> <span class="icon"> <span class="docon docon-editor-list-bullet" aria-hidden="true"></span> </span><span class="contents-expand-title">Table of contents</span></button><a id="lang-link-overflow" class="justify-content-flex-start button-sm has-inner-focus button button-clear button-block display-none-tablet" title="Read in English" data-bi-name="language-toggle" data-page-action-item="overflow-mobile" data-check-hidden="true" data-read-in-link hidden > <span class="icon" aria-hidden="true" data-read-in-link-icon> <span class="docon docon-locale-globe"></span> </span> <span data-read-in-link-text>Read in English</span> </a><button type="button" class="collection justify-content-flex-start button button-clear button-sm has-inner-focus button-block display-none-tablet" data-list-type="collection" data-bi-name="collection" title="Save" data-page-action-item="overflow-mobile" data-check-hidden="true" data-popover-close> <span class="icon" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="collection-status">Save</span> </button> <button type="button" class="collection justify-content-flex-start button button-clear button-sm has-inner-focus button-block display-none-tablet" data-list-type="plan" data-bi-name="plan" title="Add to Plan" data-page-action-item="overflow-mobile" data-check-hidden="true" data-popover-close hidden> <span class="icon" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="plan-status">Add to Plan</span> </button><a data-contenteditbtn class="button button-clear button-block button-sm has-inner-focus justify-content-flex-start text-decoration-none display-none-tablet" aria-label="Edit" title="Edit This Document" data-bi-name="edit" href="https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/identity-protection/hello-for-business/deploy/index.md" data-original_content_git_url="https://github.com/MicrosoftDocs/windows-docs-pr/blob/live/windows/security/identity-protection/hello-for-business/deploy/index.md" data-original_content_git_url_template="{repo}/blob/{branch}/windows/security/identity-protection/hello-for-business/deploy/index.md" data-pr_repo="" data-pr_branch=""> <span class="icon" aria-hidden="true"> <span class="docon docon-edit-outline"></span> </span> <span>Edit</span> </a><div aria-hidden="true" class="margin-none" data-page-action-item="overflow-all"></div> <hr class="display-none-tablet margin-bottom-xxs margin-top-xxs" /> <h4 class="font-size-sm padding-left-xxs">Share via</h4> <a class="button button-clear button-sm button-block has-inner-focus text-decoration-none justify-content-flex-start share-facebook" data-bi-name="facebook" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-facebook-share font-size-md color-primary"></span> </span> <span class="margin-left-xxs">Facebook</span> </a> <a class="button button-clear button-sm has-inner-focus button-block text-decoration-none justify-content-flex-start share-twitter" data-bi-name="twitter" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-xlogo-share font-size-xxs"></span> </span> <span class="margin-left-xxs">x.com</span> </a> <a class="button button-clear button-sm has-inner-focus button-block text-decoration-none justify-content-flex-start share-linkedin" data-bi-name="linkedin" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-linked-in-logo font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">LinkedIn</span> </a> <a class="button button-clear button-sm button-block has-inner-focus text-decoration-none justify-content-flex-start margin-bottom-xxs share-email" data-bi-name="email" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-mail-message font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">Email</span> </a><hr /> <button class="button button-block button-clear button-sm justify-content-flex-start has-inner-focus margin-top-xxs" title="Print" type="button" aria-label="Print" data-bi-name="print" data-page-action-item="overflow-all" data-popover-close data-print-page data-check-hidden="true"> <span class="icon" aria-hidden="true"> <span class="docon docon-print font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">Print</span> </button> </div> </details> </div></div> </div> <!-- end article-header --><div> <button type="button" class="border contents-button button button-clear button-sm is-hidden-tablet has-inner-focus" data-bi-name="contents-expand" data-contents-button hidden> <span class="icon"> <span class="docon docon-editor-list-bullet" aria-hidden="true"></span> </span><span class="contents-expand-title">Table of contents</span></button> </div><!-- end mobile-contents button --> <div class="content "><h1 id="plan-a-windows-hello-for-business-deployment">Plan a Windows Hello for Business deployment</h1><div class="display-flex justify-content-space-between align-items-center flex-wrap-wrap page-metadata-container"> <div class="margin-right-xxs"> <ul class="metadata page-metadata" data-bi-name="page info" lang="en-us" dir="ltr"><li>Article</li><li class="visibility-hidden-visual-diff"><time class="is-invisible" data-article-date aria-label="Article review date" datetime="2024-10-30T08:00:00Z" data-article-date-source="calculated">10/30/2024</time> </li><li class="contributors-holder display-none-print"> <button aria-label="View all contributors" class="contributors-button link-button" data-bi-name="contributors" title="View all contributors">2 contributors</button> </li><li class="attributeList-holder"> <dl class="attributeList"> <dt>Applies to:</dt> <dd>✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>, ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a></dd> </dl> </li></ul> </div> <div id="user-feedback" class="margin-block-xxs display-none-print" data-hide-on-archived> <button id="user-feedback-button" data-test-id="conceptual-feedback-button" class="button button-sm button-clear button-primary" type="button" data-bi-name="user-feedback-button" data-user-feedback-button > <span class="icon" aria-hidden="true"> <span class="docon docon-like"></span> </span> <span>Feedback</span> </button> </div></div><nav id="center-doc-outline" class="doc-outline is-hidden-desktop display-none-print margin-bottom-sm" data-bi-name="intopic toc" aria-label="In this article"> <h2 id="ms--in-this-article" class="title is-6 margin-block-xs">In this article</h2> </nav><!-- <content> --><p>This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.</p> <p>This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure.</p> <div class="TIP"> <p>Tip</p> <p>If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the <a href="https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup" data-linktype="external">Microsoft 365 admin center</a>.</p> </div> <h2 id="using-this-guide">Using this guide</h2> <p>There are many options available for deploying Windows Hello for Business, ensuring compatibility with various organizational infrastructures. While the deployment process may appear complex, most organizations will find that they have already implemented the necessary infrastructure. It is important to note that Windows Hello for Business is a distributed system and requires proper planning across multiple teams within an organization.</p> <p>This guide aims to simplify the deployment process by helping you make informed decisions about each aspect of your Windows Hello for Business deployment. It provides information on the options available and assists in selecting the deployment approach that best suits your environment.</p> <h3 id="how-to-proceed">How to proceed</h3> <p>Read this document and record your decisions. When finished, you should have all the necessary information to evaluate the available options and to determine requirements for your Windows Hello for Business deployment.</p> <p>There are seven main areas to consider when planning a Windows Hello for Business deployment:</p> <div class="checklist"> <ul> <li><a href="#deployment-options" data-linktype="self-bookmark">Deployment options</a></li> <li><a href="#pki-requirements" data-linktype="self-bookmark">Public Key Infrastructure (PKI) requirements</a></li> <li><a href="#authentication-to-microsoft-entra-id" data-linktype="self-bookmark">Authentication to Microsoft Entra ID requirements</a></li> <li><a href="#device-configuration-options" data-linktype="self-bookmark">Device configuration options</a></li> <li><a href="#licensing-for-cloud-services-requirements" data-linktype="self-bookmark">Licensing for cloud services requirements</a></li> <li><a href="#operating-system-requirements" data-linktype="self-bookmark">Operating System requirements</a></li> <li><a href="#prepare-users" data-linktype="self-bookmark">Prepare users</a></li> </ul> </div> <h2 id="deployment-options">Deployment options</h2> <p>The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.</p> <h3 id="deployment-models">Deployment models</h3> <p>It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment might have already been decided for you based on your current infrastructure.</p> <p>There are three deployment models from which you can choose:</p> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services.</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a single sign-on (SSO) experience for both on-premises and Microsoft Entra resources.</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want an SSO user experiences when accessing them.</td> </tr> </tbody> </table> <div class="NOTE"> <p>Note</p> <ul> <li>Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests"</li> <li>Migration from on-premise to hybrid deployment requires redeployment</li> </ul> </div> <h3 id="trust-types">Trust types</h3> <p>A deployment's trust type defines how Windows Hello for Business clients <strong>authenticate to Active Directory</strong>. The trust type doesn't affect authentication to Microsoft Entra ID. For this reason, the trust type isn't applicable to a cloud-only deployment model.</p> <p>Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).</p> <p>The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.</p> <p>The deployment of certificates to users and domain controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.</p> <p>There are three trust types from which you can choose:</p> <table> <thead> <tr> <th></th> <th>Trust type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud Kerberos</strong></td> <td>Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments.</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Key</strong></td> <td>Users authenticate to the on-premises Active Directory using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers.</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Certificate</strong></td> <td>The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or software) created during the Windows Hello provisioning experience.</td> </tr> </tbody> </table> <p><em>Key trust</em> and <em>certificate trust</em> use certificate authentication-based Kerberos when requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.</p> <p>The goal of Windows Hello for Business cloud Kerberos trust is to provide a simpler deployment experience, when compared to the other trust types:</p> <ul> <li>No need to deploy a public key infrastructure (PKI) or to change an existing PKI</li> <li>No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory</li> <li><a href="/en-us/entra/identity/authentication/concept-mfa-howitworks" data-linktype="absolute-path">FIDO2 security key sign-in</a> can be deployed with minimal extra setup</li> </ul> <div class="TIP"> <p>Tip</p> <p>Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the <em>key trust model</em>. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.</p> </div> <p>Cloud Kerberos trust requires the deployment of Microsoft Entra Kerberos. For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see <a href="/en-us/entra/identity/authentication/concept-mfa-howitworks" data-linktype="absolute-path">enabling passwordless security key sign-in to on-premises resources</a>.</p> <h2 id="pki-requirements">PKI requirements</h2> <p>Cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates. The other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:</p> <ul> <li>Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate</li> <li>Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA</li> <li>Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources</li> </ul> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Trust type</th> <th>PKI required?</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>n/a</td> <td>no</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Cloud Kerberos</td> <td>no</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Key</td> <td>yes</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Certificate</td> <td>yes</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Key</td> <td>yes</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Certificate</td> <td>yes</td> </tr> </tbody> </table> <h2 id="authentication-to-microsoft-entra-id">Authentication to Microsoft Entra ID</h2> <p>Users can authenticate to Microsoft Entra ID using federated authentication or cloud (nonfederated) authentication. Requirements vary based on trust type:</p> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Trust type</th> <th>Authentication to Microsoft Entra ID</th> <th>Requirements</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>n/a</td> <td>Cloud authentication</td> <td>n/a</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>n/a</td> <td>Federated authentication</td> <td>Non-Microsoft federation service</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Cloud Kerberos trust</td> <td>Cloud authentication</td> <td>Password hash sync (PHS) or Pass-through authentication (PTA)</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Cloud Kerberos trust</td> <td>Federated authentication</td> <td>AD FS or non-Microsoft federation service</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Key trust</td> <td>Cloud authentication</td> <td>Password hash sync (PHS) or Pass-through authentication (PTA)</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Key trust</td> <td>Federated authentication</td> <td>AD FS or non-Microsoft federation service</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Certificate trust</td> <td>Federated authentication</td> <td>This deployment model doesn't support PTA or PHS. Active Directory must be federated with Microsoft Entra ID using AD FS</td> </tr> </tbody> </table> <p>To learn more:</p> <ul> <li><a href="/en-us/entra/identity/hybrid/connect/whatis-fed" data-linktype="absolute-path">Federation with Microsoft Entra ID</a></li> <li><a href="/en-us/entra/identity/hybrid/connect/whatis-phs" data-linktype="absolute-path">Password hash synchronization (PHS)</a></li> <li><a href="/en-us/entra/identity/hybrid/connect/how-to-connect-pta" data-linktype="absolute-path">Pass-through authentication (PTA)</a></li> </ul> <h3 id="device-registration">Device registration</h3> <p>For on-premises deployments, the server running the Active Directory Federation Services (AD FS) role is responsible for device registration. For cloud-only and hybrid deployments, devices must register in Microsoft Entra ID.</p> <table> <thead> <tr> <th>Deployment model</th> <th>Supported join type</th> <th>Device registration service provider</th> </tr> </thead> <tbody> <tr> <td><strong>Cloud-only</strong></td> <td>Microsoft Entra joined<br>Microsoft Entra registered</td> <td>Microsoft Entra ID</td> </tr> <tr> <td><strong>Hybrid</strong></td> <td>Microsoft Entra joined<br>Microsoft Entra hybrid joined<br>Microsoft Entra registered</td> <td>Microsoft Entra ID</td> </tr> <tr> <td><strong>On-premises</strong></td> <td>Active Directory domain joined</td> <td>AD FS</td> </tr> </tbody> </table> <div class="IMPORTANT"> <p>Important</p> <p>For <em>Microsoft Entra hybrid joined</em> guidance, review <a href="/en-us/entra/identity/devices/hybrid-join-plan" data-linktype="absolute-path">Plan your Microsoft Entra hybrid join implementation</a>.</p> </div> <h3 id="multifactor-authentication">Multifactor authentication</h3> <p>The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a <em>strong credential</em> that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:</p> <ul> <li>For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including <a href="/en-us/entra/identity/authentication/concept-mfa-howitworks" data-linktype="absolute-path">Microsoft Entra MFA</a></li> <li>On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from non-Microsoft options that offer an AD FS MFA adapter. For more information, see <a href="/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods" data-linktype="absolute-path">Microsoft and non-Microsoft additional authentication methods</a></li> </ul> <div class="IMPORTANT"> <p>Important</p> <p>Beginning July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication.</p> <p>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should <a href="/en-us/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication" data-linktype="absolute-path">migrate their users' authentication data</a> to the cloud-based Azure MFA.</p> </div> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>MFA options</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>Microsoft Entra MFA</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>Non-Microsoft MFA, via external authentication method in Microsoft Entra ID or federation</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Microsoft Entra MFA</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Non-Microsoft MFA, via external authentication method in Microsoft Entra ID or federation</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>AD FS MFA adapter</td> </tr> </tbody> </table> <p>For more information:</p> <ul> <li><a href="/en-us/entra/identity/authentication/howto-mfa-mfasettings" data-linktype="absolute-path">Configure Microsoft Entra multifactor authentication settings</a></li> <li><a href="/en-us/entra/identity/authentication/how-to-authentication-external-method-manage" data-linktype="absolute-path">Manage an external authentication method in Microsoft Entra ID</a></li> </ul> <h4 id="mfa-and-federated-authentication">MFA and federated authentication</h4> <p>It's possible for federated domains to configure the <em>FederatedIdpMfaBehavior</em> flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see <a href="/en-us/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values" data-linktype="absolute-path">federatedIdpMfaBehavior values</a>. To check this setting, use the following PowerShell command:</p> <pre><code class="lang-powershell">Connect-MgGraph $DomainId = "&lt;your federated domain name&gt;" Get-MgDomainFederationConfiguration -DomainId $DomainId |fl </code></pre> <p>To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain:</p> <pre><code class="lang-powershell">Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp </code></pre> <p>If you configure the flag with a value of either <code>acceptIfMfaDoneByFederatedIdp</code> (default) or <code>enforceMfaByFederatedIdp</code>, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.</p> <h3 id="key-registration">Key registration</h3> <p>The built-in Windows Hello for Business provisioning experience creates a device-bound asymmetric key pair as the user's credentials. The private key is protected by the device's security modules. The credential is a <em>user key</em>, not a <em>device key</em>. The provisioning experience registers the user's public key with the identity provider:</p> <table> <thead> <tr> <th>Deployment model</th> <th>Key registration service provider</th> </tr> </thead> <tbody> <tr> <td><strong>Cloud-only</strong></td> <td>Microsoft Entra ID</td> </tr> <tr> <td><strong>Hybrid</strong></td> <td>Microsoft Entra ID</td> </tr> <tr> <td><strong>On-premises</strong></td> <td>AD FS</td> </tr> </tbody> </table> <h3 id="directory-synchronization">Directory synchronization</h3> <p>Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose:</p> <ul> <li>Hybrid deployments use <a href="/en-us/entra/identity/hybrid/connect/how-to-connect-sync-whatis" data-linktype="absolute-path">Microsoft Entra Connect Sync</a> to synchronize Active Directory identities (users and devices) or credentials between itself and Microsoft Entra ID. During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. Microsoft Entra Connect Sync synchronizes the Windows Hello for Business public key to Active Directory. This synchronization enables SSO to Microsoft Entra ID and its federated components. <div class="IMPORTANT"> <p>Important</p> <p>Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.</p> </div> </li> <li>On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA server, which sends data to the MFA cloud service to perform the verification</li> </ul> <table> <thead> <tr> <th>Deployment model</th> <th>Directory sync options</th> </tr> </thead> <tbody> <tr> <td><strong>Cloud-only</strong></td> <td>n/a</td> </tr> <tr> <td><strong>Hybrid</strong></td> <td>Microsoft Entra Connect Sync</td> </tr> <tr> <td><strong>On-premises</strong></td> <td>Azure MFA server</td> </tr> </tbody> </table> <div class="IMPORTANT"> <p>Important</p> <p>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should <a href="/en-us/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication" data-linktype="absolute-path">migrate their users' authentication data</a> to the cloud-based Azure MFA.</p> </div> <h2 id="device-configuration-options">Device configuration options</h2> <p>Windows Hello for Business provides a rich set of granular policy settings. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO).</p> <ul> <li>The CSP option is ideal for devices that are managed through a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with <a href="/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer" data-linktype="absolute-path">provisioning packages</a></li> <li>GPO can be used to configure domain joined devices and where devices aren't managed via MDM</li> </ul> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Device configuration options</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>CSP</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>GPO (local)</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>CSP</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>GPO (Active Directory or local)</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>CSP</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>GPO (Active Directory or local)</td> </tr> </tbody> </table> <h2 id="licensing-for-cloud-services-requirements">Licensing for cloud services requirements</h2> <p>Here are some considerations regarding licensing requirements for cloud services:</p> <ul> <li>Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as <a href="/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment" data-linktype="absolute-path">MDM automatic enrollment</a> and <a href="/en-us/entra/identity/conditional-access/overview" data-linktype="absolute-path">Conditional Access</a> do <ul> <li>Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported non-Microsoft MDM</li> </ul> </li> <li>You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication for the Windows passwordless features <ul> <li>Some Microsoft Entra multifactor authentication features require a license. For more information, see <a href="/en-us/entra/identity/authentication/concept-mfa-licensing" data-linktype="absolute-path">Features and licenses for Microsoft Entra multifactor authentication</a>.</li> </ul> </li> <li>Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature</li> </ul> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Trust type</th> <th>Cloud services licenses (minimum)</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>n/a</td> <td>not required</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Cloud Kerberos</td> <td>not required</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Key</td> <td>not required</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Certificate</td> <td>Microsoft Entra ID P1</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Key</td> <td>Azure MFA, if used as MFA solution</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Certificate</td> <td>Azure MFA, if used as MFA solution</td> </tr> </tbody> </table> <div class="IMPORTANT"> <p>Important</p> <p>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should <a href="/en-us/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication" data-linktype="absolute-path">migrate their users' authentication data</a> to the cloud-based Azure MFA.</p> </div> <h2 id="operating-system-requirements">Operating System requirements</h2> <h3 id="windows-requirements">Windows requirements</h3> <p>All supported Windows versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions:</p> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Trust type</th> <th>Windows version</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>n/a</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Cloud Kerberos</td> <td>- Windows 10 21H2, with <a href="https://support.microsoft.com/topic/5010415" data-linktype="external">KB5010415</a> and later<br>- Windows 11 21H2, with <a href="https://support.microsoft.com/topic/5010414" data-linktype="external">KB5010414</a> and later</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Key</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Certificate</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Key</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Certificate</td> <td>All supported versions</td> </tr> </tbody> </table> <h3 id="windows-server-requirements">Windows Server requirements</h3> <p>Windows Hello for Business can be used to authenticate against all supported Windows Server versions as a domain controller. However, cloud Kerberos trust requires minimum versions:</p> <table> <thead> <tr> <th></th> <th>Deployment model</th> <th>Trust type</th> <th>Domain controller OS version</th> </tr> </thead> <tbody> <tr> <td><strong>🔲</strong></td> <td><strong>Cloud-only</strong></td> <td>n/a</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Cloud Kerberos</td> <td>- Windows Server 2016, with <a href="https://support.microsoft.com/topic/4534307" data-linktype="external">KB3534307</a> and later<br>- Windows Server 2019, with <a href="https://support.microsoft.com/topic/4534321" data-linktype="external">KB4534321</a> and later<br>- Windows Server 2022<br>- Windows Server 2025</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Key</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>Hybrid</strong></td> <td>Certificate</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Key</td> <td>All supported versions</td> </tr> <tr> <td><strong>🔲</strong></td> <td><strong>On-premises</strong></td> <td>Certificate</td> <td>All supported versions</td> </tr> </tbody> </table> <p>The minimum required domain functional and forest functional levels are Windows Server 2008 R2 for all deployment models.</p> <h2 id="prepare-users">Prepare users</h2> <p>When you are ready to enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to provision and use Windows Hello.</p> <p>To learn more, see <a href="prepare-users" data-linktype="relative-path">Prepare users</a>.</p> <h2 id="next-steps">Next steps</h2> <p>Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization.</p> <div class="op_multi_selector" title1="Deployment model:" title2="Trust type:"> <p>To learn more about the deployment process, chose a deployment model and trust type from the following drop-down lists:</p> <ul> <li><a href="cloud-only" data-linktype="relative-path">(cloud-only|n/a)</a></li> <li><a href="hybrid-cloud-kerberos-trust" data-linktype="relative-path">(hybrid | cloud Kerberos trust)</a></li> <li><a href="hybrid-key-trust" data-linktype="relative-path">(hybrid | key trust)</a></li> <li><a href="hybrid-cert-trust" data-linktype="relative-path">(hybrid | certificate trust)</a></li> <li><a href="on-premises-key-trust" data-linktype="relative-path">(on-premises | key trust)</a></li> <li><a href="on-premises-cert-trust" data-linktype="relative-path">(on-premises | certificate trust)</a></li> </ul> </div> <!--links--> </div><div id="ms--inline-notifications" class="margin-block-xs" data-bi-name="inline-notification"></div><div id="assertive-live-region" role="alert" aria-live="assertive" class="visually-hidden" aria-relevant="additions" aria-atomic="true"></div> <div id="polite-live-region" role="status" aria-live="polite" class="visually-hidden" aria-relevant="additions" aria-atomic="true"></div> <!-- </content> --> </main><!-- recommendations section --><!-- end recommendations section --> <!-- feedback section --><section id="site-user-feedback-footer" class="font-size-sm margin-top-md" data-test-id="site-user-feedback-footer" data-bi-name="site-feedback-section"> <hr class="hr" /> <h2 id="feedback" class="title is-3">Feedback</h2> <div class="display-flex flex-wrap-wrap align-items-center"> <p class="font-weight-semibold margin-xxs margin-left-none">Was this page helpful?</p> <div class="buttons"> <button class="thumb-rating-button like button button-primary button-sm" data-test-id="footer-rating-yes" data-binary-rating-response="rating-yes" type="button" title="This article is helpful" data-bi-name="button-rating-yes" aria-pressed="false" > <span class="icon" aria-hidden="true"> <span class="docon docon-like"></span> </span> <span>Yes</span> </button> <button class="thumb-rating-button dislike button button-primary button-sm" data-test-id="footer-rating-no" data-binary-rating-response="rating-no" type="button" title="This article is not helpful" data-bi-name="button-rating-no" aria-pressed="false" > <span class="icon" aria-hidden="true"> <span class="docon docon-dislike"></span> </span> <span>No</span> </button> </div> </div><div class="display-flex flex-wrap-wrap margin-top-xxs"><div> <a data-bi-name="provide-feedback-cta" class="has-external-link-indicator" href="https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332" data-bi-name="product-feedback" > <span>Provide product feedback</span> </a></div></div> </section><!-- end feedback section --> <!-- feedback report section --><!-- end feedback report section --><aside id="ms--additional-resources-mobile" aria-label="Additional resources" class="display-none-desktop display-none-print" > <hr class="hr" hidden /> <h2 id="ms--additional-resources-mobile-heading" class="title is-3" hidden>Additional resources</h2> <section id="right-rail-recommendations-mobile" data-bi-name="recommendations" hidden></section> <section id="right-rail-training-mobile" data-bi-name="learning-resources-card" hidden></section> <section id="right-rail-events-mobile" data-bi-name="events-card" hidden></section> <section id="right-rail-qna-mobile" data-bi-name="qna-link-card" hidden></section> </aside><div class="border-top is-visible-interactive has-default-focus margin-top-sm "><footer id="footer-interactive" data-bi-name="footer" class="footer-layout"><div class="display-flex gap-xs flex-wrap-wrap is-full-height padding-right-lg-desktop"><a data-mscc-ic="false" class="locale-selector-link button button-sm button-clear flex-shrink-0" href="#" data-bi-name="select-locale"> <span class="icon" aria-hidden="true"> <span class="docon docon-world"></span> </span> <span class="local-selector-link-text"></span></a><div class="ccpa-privacy-link" data-ccpa-privacy-link hidden> <a href="https://aka.ms/yourcaliforniaprivacychoices" class="button button-sm button-clear flex-shrink-0" data-mscc-ic="false" data-bi-name="your-privacy-choices" > <svg role="img" aria-label="California Consumer Privacy Act (CCPA) Opt-Out Icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" xml:space="preserve" height="16" width="43" focusable="false" > <title>California Consumer Privacy Act (CCPA) Opt-Out Icon</title> <path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#fff"></path> <path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#06f"></path> <path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" style="fill:#fff"></path> <path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" style="fill:#06f"></path> </svg> <span>Your Privacy Choices</span> </a> </div> <div class="flex-shrink-0"> <div class="dropdown has-caret-up"> <button class="dropdown-trigger button button-clear button-sm has-inner-focus theme-dropdown-trigger" aria-controls="theme-menu-interactive" aria-expanded="false" title="Theme" data-bi-name="theme"> <span class="icon"> <span class="docon docon-sun" aria-hidden="true"></span> </span> <span>Theme</span> <span class="icon expanded-indicator" aria-hidden="true"> <span class="docon docon-chevron-down-light"></span> </span> </button> <div class="dropdown-menu" id="theme-menu-interactive" role="menu"> <ul class="theme-selector padding-xxs" role="none"> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="light"> <span class="theme-light margin-right-xxs"> <span class="theme-selector-icon border display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Light</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="dark"> <span class="theme-dark margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Dark</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="high-contrast"> <span class="theme-high-contrast margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>High contrast</span> </button> </li> </ul> </div> </div> </div> </div> <ul class="links" data-bi-name="footerlinks"> <li class="manage-cookies-holder" hidden></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/previous-versions/" data-bi-name="archivelink">Previous Versions</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog" data-bi-name="bloglink">Blog</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/contribute/" data-bi-name="contributorGuide">Contribute</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-bi-name="privacy">Privacy</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/legal/termsofuse" data-bi-name="termsofuse">Terms of Use</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://www.microsoft.com/legal/intellectualproperty/Trademarks/" data-bi-name="trademarks">Trademarks</a></li><li>&copy; Microsoft 2024</li> </ul> </footer></div></div><div id="ms--additional-resources" class="right-container column is-4-desktop display-none display-block-desktop" data-bi-name="pageactions" role="complementary" aria-label="Additional resources" > <div id="affixed-right-container" class="margin-top-sm-tablet" data-bi-name="right-column"> <h2 id="ms--additional-resources-heading" class="title is-6 margin-top-md" hidden>Additional resources</h2> <section id="right-rail-events" data-bi-name="events-card" hidden></section> <section id="right-rail-training" data-bi-name="learning-resources-card" hidden></section> <section id="right-rail-recommendations" data-bi-name="recommendations" hidden></section> <nav id="side-doc-outline" class="doc-outline" data-bi-name="intopic toc" aria-label="In this article"> <h3>In this article</h3> </nav> <section id="right-rail-qna" class="margin-top-xxs" data-bi-name="qna-link-card" hidden></section> </div> </div></div> <!--end of div.columns --> </section> <!--end of .primary-holder --> <!-- interactive container --> <aside id="interactive-container" class="interactive-container is-visible-interactive column has-body-background-dark "> </aside> <!-- end of interactive container --> </div> </div> <!--end of .mainContainer --> <section class="border-top has-default-focus is-hidden-interactive margin-top-sm "><footer id="footer" data-bi-name="footer" class="footer-layout uhf-container has-padding" role="contentinfo"><div class="display-flex gap-xs flex-wrap-wrap is-full-height padding-right-lg-desktop"><a data-mscc-ic="false" class="locale-selector-link button button-sm button-clear flex-shrink-0" href="#" data-bi-name="select-locale"> <span class="icon" aria-hidden="true"> <span class="docon docon-world"></span> </span> <span class="local-selector-link-text"></span></a><div class="ccpa-privacy-link" data-ccpa-privacy-link hidden> <a href="https://aka.ms/yourcaliforniaprivacychoices" class="button button-sm button-clear flex-shrink-0" data-mscc-ic="false" data-bi-name="your-privacy-choices" > <svg role="img" aria-label="California Consumer Privacy Act (CCPA) Opt-Out Icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" xml:space="preserve" height="16" width="43" focusable="false" > <title>California Consumer Privacy Act (CCPA) Opt-Out Icon</title> <path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#fff"></path> <path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#06f"></path> <path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" style="fill:#fff"></path> <path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" style="fill:#06f"></path> </svg> <span>Your Privacy Choices</span> </a> </div> <div class="flex-shrink-0"> <div class="dropdown has-caret-up"> <button class="dropdown-trigger button button-clear button-sm has-inner-focus theme-dropdown-trigger" aria-controls="theme-menu" aria-expanded="false" title="Theme" data-bi-name="theme"> <span class="icon"> <span class="docon docon-sun" aria-hidden="true"></span> </span> <span>Theme</span> <span class="icon expanded-indicator" aria-hidden="true"> <span class="docon docon-chevron-down-light"></span> </span> </button> <div class="dropdown-menu" id="theme-menu" role="menu"> <ul class="theme-selector padding-xxs" role="none"> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="light"> <span class="theme-light margin-right-xxs"> <span class="theme-selector-icon border display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Light</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="dark"> <span class="theme-dark margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Dark</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="high-contrast"> <span class="theme-high-contrast margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>High contrast</span> </button> </li> </ul> </div> </div> </div> </div> <ul class="links" data-bi-name="footerlinks"> <li class="manage-cookies-holder" hidden></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/previous-versions/" data-bi-name="archivelink">Previous Versions</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog" data-bi-name="bloglink">Blog</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/contribute/" data-bi-name="contributorGuide">Contribute</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-bi-name="privacy">Privacy</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/legal/termsofuse" data-bi-name="termsofuse">Terms of Use</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://www.microsoft.com/legal/intellectualproperty/Trademarks/" data-bi-name="trademarks">Trademarks</a></li><li>&copy; Microsoft 2024</li> </ul> </footer> </section> <div id="action-panel" role="region" aria-label="Action Panel" class="action-panel has-default-focus" tabindex="-1"></div> </body> </html>