Forum Discussion

Marc_Laf's avatar
Marc_Laf
Iron Contributor
Apr 14, 2023

Azure AD Joined device is not honoring Windows Hello for Business Config Policy from Intune

With the availability of Cloud Kerberos Trust we are now able to deploy WHfB to our Hybrid workforce but we do have a handful of Azure AD Joined devices that we also need to deploy to, all of these d...
Intune
Windows Hello for Business
r_ili's avatar
r_ili
Copper Contributor
May 10, 2023
Hi Marc Laflamme, we have the same issue. Where you able to fix the problem?
Marc_Laf's avatar
Marc_Laf
Iron Contributor
May 10, 2023

r_ili 

 

I did come to a few findings myself (support and documentation were no help)

 

It's not accurately documented and took a lot of digging but basically the 4 places to set WHfB configs (in Intune) don't all write to the same area of the registry. Although everything is written to HKLM\Software\Microsoft\Policies\PassportForWindows, there are sub keys for device and user. 

Windows Enrollment - writes to device

Identity Protection (Config Profile) - writes to user

Settings Catalogue (Config Profile - can write to both user and device

Account Protection (Endpoint Security) - writes to user.

 

If you configure the Windows Enrollment settings as disabled and set your PIN complexity but then enable WHfB using one of the User methods, it will enable WhfB but use the MS Default PIN complexity and settings, ignoring anything set via Enrollment. The only way to use the Enrollment PIN settings is to enable WHfB via device written methods and the only other one is Settings Catalogue.

 

A USER written method will override a DEVICE method (buried in the documents)

 

Also whoever blogged about the Enrollment method only affecting devices during enrollment was wrong. If you set WHfB to Disabled under Enrollment and then set it to Enabled, your devices WILL be enabled.

 

Finally, the biggest hurdle and not documented anywhere, if you have configured the PIN and thus have an existing Hello Container, no matter what changes in a policy, whatever was set when the container was created will be tattooed. This means that if you change a policy (say you originally had a minimum of 4 digits and max of 10 and users set a PIN but then you changed the configuration to have a minimum of 8 and max of 20) when a user selects "Change PIN", it will NOT get this new information. It will only look at the original PIN requirements. The only way to get around this is to either delete the container (certutil.exe -deletehellocontainer) or from the Setup PIN part of Settings, press I forgot my PIN. (I think it just deletes the container and creates a new one but in doing so, reads the current registry settings).

 

That's all I've been able to figure out so far but it's definitely helped shed some light on this topic!

  • r_ili's avatar
    r_ili
    Copper Contributor
    May 10, 2023
    thanks for the fast respons, will check that and update
    • Marc_Laf's avatar
      Marc_Laf
      Iron Contributor
      May 10, 2023
      You're welcome and good luck!

Resources