Jul 30 2021 01:46 AM
Jul 30 2021 01:46 AM
I’m a complete newbie in Microsoft 365 security and need some guidance for a client who is look has Windows Hello for business queries.
Any help would be highly appreciated.
Aug 02 2021 02:47 AMSolution
I would recommend you to start here: Planning a Windows Hello for Business Deployment - Microsoft 365 Security | Microsoft Docs. If you follow that guide, you should be able to answer your clients questions.
To quickly point out your specific questions, the difference between key trust and certificate trust are as follows:
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).
Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
If your organization wants to use the key trust type, write key trust in box 1b on your planning worksheet. Write Windows Server 2016 in box 4d. Write N/A in box 5b.
If your organization wants to use the certificate trust type, write certificate trust in box 1b on your planning worksheet. Write Windows Server 2008 R2 or later in box 4d. In box 5c, write smart card logon under the Template Name column and write users under the Issued To column on your planning worksheet.
If your client fits the hybrid deployment requirements, depends on the trust type you choose.