How to Set Up Windows Server 2016 Microsoft Passport

Microsoft Passport, now formally named Windows Hello for Business in modern documentation, is a credential technology introduced with Windows 10 and Windows Server 2016 that replaces traditional passwords with strong two-factor authentication using public key cryptography. In the Windows Server 2016 timeframe, Microsoft Passport referred to the server-side infrastructure components that enable certificate-based and key-based authentication for domain-joined and Azure AD-joined devices. This guide covers configuring the server-side prerequisites for Microsoft Passport in a Windows Server 2016 Active Directory environment.

Understanding Microsoft Passport Architecture

Microsoft Passport creates a user-specific cryptographic key pair on the device. The private key is protected by the device’s TPM (Trusted Platform Module) or by software if a TPM is not available. The public key is registered with the identity provider — either Active Directory (for domain-joined devices), Azure Active Directory, or a Microsoft Account. Authentication is performed by the device proving possession of the private key through a user gesture (PIN, fingerprint, or facial recognition) rather than transmitting a password over the network. This eliminates the risk of password theft through credential phishing, pass-the-hash, or network interception.

Deployment Models

Windows Server 2016 supports three deployment models for Microsoft Passport. The Key Trust model uses public key cryptography with no certificate requirement — the DC must be running Windows Server 2016 or later to validate key-based authentication. The Certificate Trust model issues a certificate to the user from a PKI (Public Key Infrastructure) and is compatible with older Domain Controllers. The Azure AD Join model is for cloud-first or hybrid environments where devices are joined to Azure AD rather than on-premises AD. This guide focuses on the on-premises Key Trust and Certificate Trust models.

Prerequisites for Key Trust Deployment

For Key Trust, all Domain Controllers must be Windows Server 2016 or later. The domain functional level must be Windows Server 2008 R2 or higher. Windows 10 version 1703 or later client devices are required. A PKI infrastructure is NOT required for Key Trust (it is required only for Certificate Trust). The Kerberos Distribution Center (KDC) certificate is required on each DC running Windows Server 2016, but this certificate is issued automatically from an enterprise CA when the domain is configured for Key Trust.

Prerequisites for Certificate Trust Deployment

Certificate Trust requires an Active Directory Certificate Services (AD CS) Enterprise CA. Mobile Device Management (MDM) or Group Policy is needed to configure client devices. Certificate enrollment must be configured for Microsoft Passport keys. This model is needed when Domain Controllers are not all running Windows Server 2016.

Configuring Group Policy for Microsoft Passport

The primary configuration mechanism for Microsoft Passport is Group Policy. Open the Group Policy Management Console and create a new GPO. Navigate to:

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Enable the following policies:

Use Windows Hello for Business: Enabled
Use certificate for on-premises authentication: Enabled (for Certificate Trust) or Disabled (for Key Trust)
Use a hardware security device: Enabled (requires TPM — recommended)
Use biometrics: Enabled

Setting Up AD FS for Microsoft Passport

For on-premises deployments using Group Policy, Active Directory Federation Services (AD FS) is required in some deployment models. Install AD FS on Windows Server 2016:

Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools

Configure the AD FS farm. This requires a server certificate (from an internal or public CA), a service account, and a database (WID or SQL Server):

Import-Module ADFS
Install-AdfsFarm -CertificateThumbprint "" -FederationServiceName "adfs.corp.local" -ServiceAccountCredential (Get-Credential)

Registering Devices

For Windows 10 devices to use Microsoft Passport, they must be domain-joined and have Group Policy applied. To verify that a device has successfully provisioned a Passport key:

dsregcmd /status

Look for the AzureAdJoined, DomainJoined, and NgcSet fields. NgcSet: YES indicates that a Next Generation Credential (the Passport key) has been set up on the device for the current user.

Configuring the KDC for Key Trust

For Key Trust deployments, the Kerberos Distribution Center on Windows Server 2016 DCs must have a valid certificate. This is typically handled automatically when the domain has an enterprise CA. The KDC certificate template allows DCs to authenticate users using their Passport key. Verify the certificate is present on the DC:

certutil -store My | findstr /i "Kerberos Authentication"

Verifying Microsoft Passport Enrollment

After configuring Group Policy and ensuring devices are properly enrolled, verify that users are using Passport for authentication. Check the Windows Event Log on the client:

Get-WinEvent -LogName "Microsoft-Windows-HelloForBusiness/Operational" -MaxEvents 50 | Select-Object TimeCreated, Id, Message | Format-List

Event ID 358 indicates successful provisioning. Event ID 360 indicates an error during provisioning. On the server side, check the AD FS event logs for authentication events when using Certificate Trust.

PIN Complexity Policy

Configure PIN complexity requirements through Group Policy:

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > PIN Complexity

Set minimum PIN length to at least 8 digits. Optionally require uppercase letters, lowercase letters, digits, and special characters. Configure PIN expiry to enforce periodic PIN changes.

Best Practices

Deploy Microsoft Passport in pilot to a subset of users before broad rollout. Start with Key Trust if all DCs are Windows Server 2016 — it is simpler to deploy than Certificate Trust. Require TPM 2.0 for maximum security, as software-protected keys are less secure. Monitor enrollment rates through Group Policy reporting and event logs. Educate users about PIN security — a PIN is tied to the specific device and cannot be used from another device, making it fundamentally different from a password. Combine with Conditional Access policies for hybrid environments.

Microsoft Passport represents a major step forward in authentication security. By eliminating password-based network authentication for enrolled devices and users, organizations significantly reduce their exposure to the most common attack vectors in modern credential-based intrusions.