Windows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Hello,
I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices.
I recently enabled HAADJ in AAD Connect. As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device.
The issue I encounter is with the Windows Hello for Business prompt. When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN. You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync.
The devices are HAADJ but not enrolled into Intune for MDM.
In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured. I also changed this to Disabled, but the users still get the prompt.
I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled. It was previously set to Not Configured. This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business, Click here to setup you PIN.
I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings.
End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business. Any ideas?