---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.collection:
- highpri
ms.date: 12/13/2022
appliesto:
- ✅ Windows 10 and later
- ✅ Windows Server 2016 and later
ms.topic: article
---
# Windows Hello for Business Deployment Prerequisite Overview
This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
## Azure AD Cloud Only Deployment
- Azure Active Directory
- Azure AD Multifactor Authentication
- Device management solution (Intune or supported third-party MDM), *optional*
- Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
## Hybrid Deployments
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Requirement | cloud Kerberos trust
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed |
| --- | --- | --- | --- | --- |
| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions |
| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema |
| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
| **Certificate Authority**| N/A |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
| **AD FS Version** | N/A | N/A | Any supported Windows Server versions | Any supported Windows Server versions |
| **MFA Requirement** | Azure MFA, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
| **Azure AD Connect** | N/A | Required | Required | Required |
| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
## On-premises Deployments
The table shows the minimum requirements for each deployment.
| Key trust
Group Policy managed | Certificate trust
Group Policy managed|
| --- | --- |
|Any supported Windows client versions|Any supported Windows client versions|
| Windows Server 2016 Schema | Windows Server 2016 Schema|
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Any supported Windows Server versions | Any supported Windows Server versions |
| Any supported Windows Server versions | Any supported Windows Server versions |
| Any supported Windows Server versions | Any supported Windows Server versions |
| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |