Forum Discussion
Windows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Moe_Kinani I know, very odd.
The devices are only becoming Hybrid Azure AD Joined, I'm not enrolling Windows devices into InTune. If I check InTune devices, there's no devices showing, as I'd expect.
I have not encountered this on other installations with the same scenario. I'm wondering if it's something specific within the AD forest environment I'm deploying into causing this to occur, opposed to the Tenant side setting but can't see what.
I checked security baselines and windows configs in InTune and there's nothing assigned. However, I would only expect that to take effect if the devices/devices were InTune enrolled.
The only way forward have found so far is scoping a GPO which scopes the setting Use Windows Hello for Business to Disabled under User Configuration\Administrative Templates\Windows Components\Windows Hello for Business.
Just looking at the logic as why when Use Windows Hello for Business is set Not Configured devices are prompting the user to set-up a pin after domain login.
Some example screenshots below.
Not sure if you have Intune license but worth try to enroll the device with Intune and disable WHFB by Config profile and scope it to the computer. I’m presuming this scenario because you are certain no Local GPO applied to enable WHFB.
Moe
Managed to shed some light on this.
In short, ignore the WHFB settings in InTune unless the device is MDM enrolled and managed by InTune. Essentially this was the associated to a group policy via AD on premises which was already in place for the AD forest/domain.
There was a COMPUTER GP in place which set "Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Enabled. I imagine that somebody switched it to enabled thinking that would be nice to have.
After enabling HAADJ, a device was becoming hybrid joined, and the subsequent login (from a synced AD user) resulted in a WHFB Set-Up PIN prompt.
If the "Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business” setting been set to Not Configured, this wouldn't have arisen as an issue.
As a note, once we had set the "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled, that took priority over the Computer Configuration policy and the WHFB prompt didn't show.So lesson learnt is to check those GP settings in an AD on premises prior to mass syncing devices to be Hybrid Azure AD Joined.
- hi Ben
I am facing the same issue can you guide me on this issue. how you are resolved the issue i have the hybrid ad setup post enrolling of the device windows hello prompt appeared on the user login screen
till now i have disabled windows hello in the intune portal and one of the GPO is configured windows Hello Enable i have marked as a not configured.
is there any other changes i have to do stop the prompting user for windows hello prompt
- Thanks for the idea.
I'm pretty certain that the Use Windows Hello for Business setting is set to Not Configured as standard for Win10 devices.
The curious part is I haven't seen this issue before on other set-ups where HAADJ is enabled and WHFB is set to disabled or Not Configured under Windows Enrolment.
I'm going to continue with amending the WHFB setting by domain GPO for the time being, as opposed to enrolling into InTune for modify the setting. They'll essentially achieve the same outcome.
Any other ideas welcome as to the WHFB setup PIN comes up when 'Use Windows Hello for Business' setting is set to 'Not Configured' as standard for Win10 devices.
