Prerequisites

When enabling Windows Hello for Business for your organization, you will need to decide which deployment model and trust type suit your organization. Microsoft supports five different deployment models and trust type combinations:

Check the official Microsoft documents, Planning a Windows Hello for Business Deployment and Windows Hello for Business Deployment Prerequisite Overview for full details about which model you should and can use.

You do not need to be concerned about Windows Server Certificate Authority stated in the Microsoft Prerequisite document, since it will be covered by DigiCert.

Currently, DigiCert supports the Hybrid Azure AD joined Certificate Trust Deployment model but is planning to support additional certificate-based trust models. DigiCert will not support any of the two Key Trust Deployment models.

The following shows the steps required to set up a Windows Hello for Business solution for Hybrid Azure AD joined Certificate Trust Deployment. They are steps outlined in the official Microsoft deployment guides. The links for each step will take you to the official Microsoft documents.

You will need to complete all steps to 5-a. Active Directory, but in 3. New Installation Baseline, skip “Public Key Infrastructure” section. Also you can skip 5-b. Public Key Infrastructure and 5-c. Active Directory Federation Services, and finish 5-d. Group Policy first. This document replaces those sections, substituting Windows Server Certificate Authority with a DigiCert Certificate Authority.

When all the steps covered in this document are completed, you can move on to 6. Sign-in and Provision. If all the configurations are properly in place, provisioning should happen when the user logs on to their Windows machine.

To enable Windows Hello for Business certificates to be issued from a DigiCert Certificate Authority, the DigiCert Autoenrollment Server is required to be installed and configured in your enterprise Windows domain. Follow the directions in DigiCert® Trust Lifecycle Manager | Autoenrollment Server deployment guide to install and configure.Autoenrollment Server-5.1.24

All steps from the document need to be completed, and it is recommended to first check if certificates can be issued using a Non-Windows Hello for Business Certificate Profile. The issuance process for Windows Hello for Business is complicated, and it will be easier to troubleshoot by ensuring that your Autoenrollment Server can issue certificates properly before configuring for the Windows Hello for Business solution.

DigiCert has qualified Windows Hello for Business solution with DigiCert Autoenrollment Server and ADFS running on Windows Server 2022. 

Previous versions of Windows Server may work, but these have neither been formally qualified nor claimed by DigiCert.