Forum Discussion

Ben Owens's avatar
Ben Owens
Brass Contributor
Mar 12, 2020

Windows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled

Hello,

 

I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices.

 

I recently enabled HAADJ in AAD Connect.  As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device.

 

The issue I encounter is with the Windows Hello for Business prompt.  When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN.  You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync.

 

The devices are HAADJ but not enrolled into Intune for MDM.

 

In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured.  I also changed this to Disabled, but the users still get the prompt.

 

I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled.  It was previously set to Not Configured.  This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business,  Click here to setup you PIN.

 

I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings.

 

End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business.  Any ideas?

 

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Very strange. I have exactly same setup but I don’t get your experience.
    Do you have Security Baseline or Windows Config profile in place that somehow pushing the setting? There are multiple places that you can enable WHFB in Intune.
    • Ben Owens's avatar
      Ben Owens
      Brass Contributor

      Moe_Kinani I know, very odd. 

      The devices are only becoming Hybrid Azure AD Joined, I'm not enrolling Windows devices into InTune.  If I check InTune devices, there's no devices showing, as I'd expect.

       

      I have not encountered this on other installations with the same scenario.  I'm wondering if it's something specific within the AD forest environment I'm deploying into causing this to occur, opposed to the Tenant side setting but can't see what.


      I checked security baselines and windows configs in InTune and there's nothing assigned.  However, I would only expect that to take effect if the devices/devices were InTune enrolled.

      The only way forward have found so far is scoping a GPO which scopes the setting Use Windows Hello for Business to Disabled under User Configuration\Administrative Templates\Windows Components\Windows Hello for Business.

       

      Just looking at the logic as why when Use Windows Hello for Business is set Not Configured devices are prompting the user to set-up a pin after domain login. 


      Some example screenshots below.

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        Very clear. Thought you had the devices enrolled to Intune.

        Not sure if you have Intune license but worth try to enroll the device with Intune and disable WHFB by Config profile and scope it to the computer. I’m presuming this scenario because you are certain no Local GPO applied to enable WHFB.

        Moe

Resources