Exam MS-500 topic 1 question 65 discussion

1. Hybrid 2. Key

Her is your answer: The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires Windows Server 2016 or later Active Directory schema). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. 1. Hybrid 2. Certificate Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide

Certificate model is wrong because it saying minimum admin effort: Certificate model: Prerequisites Directories and directory synchronization Federated authentication to Azure AD ---- This one require is huge amount admin effort Device registration Public Key Infrastructure Multi-factor authentication Device management Hybrid key trust: Prerequisites Directories and directory synchronization Authentication to Azure AD ---- This is easy can be pass hash sync or pass-through Device registration Public Key Infrastructure Multi-factor authentication Device management

The question itself is incorrect. Probably it mention about domain functional level 2016. Because the Windows Server 2016 is the most recent forest and domain functional level. Windows server 2019 and 2022 are using the Windows Server 2016 forest and domain functional level.

I think the answer is correct, hybrid - certificate, because here: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs so it has to be hybrid, but not sure which deployment type is easier, I guess Certificate, because it has less steps in the guide? :D

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview#comparing-key-based-and-certificate-based-authentication "Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello." https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide "The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates." For last the name in the URL is my reply https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust