Forum Discussion
Enable 2FA for Hybrid Azure AD joined devices and Windows Hello for Business
I am trying to enable 2FA for HAAD joined devices using Windows Hello for Business
I followed the following article in MS documentation
What else needs to be done as I am yet to test it. I am assuming this needs to be added to Users. Is it better to do this way or enable it Tenant Wide? I am not very sure how to go about it. Also, once I configure it, and apply this to users, will I be prompted
1. First with Password or PIN? What is the first time User experience when users are enabled with this option?
2. Should I enable Windows Hello for Business through "Enroll Devices" Windows Enrollment and Windows Hello for Business or
3. Devices\Windows\Configuration Profiles and under Identity Protection should I go and set everything for Windows Hello for Business like the Min PIN Length, Max, PIN expiration, PIN history, Allow Biometric authentication and Use Enhanced anti-spoofing when available options?
Appreciate expertise advice on this.
Thanks in advance
- KurtBMayerSteel Contributor
In general, the best practice is not to deploy tenant-wide at first, in order to provide time for testing and troubleshooting so as not to cause undue disruption if things don't work as expected the first time. As such, create a group and input pilot users or computers first to validate the deployment before proceeding with additional rollouts.
With that in mind, using the "Windows Enrollment" section of Intune for WHFB applies tenant-wide to the All Users scope. It also only shows a subset of the WHFB options because this is meant for a quicker, simpler deployment. Thus, if you want to get more granular about this with a phased rollout, or to leverage all options, it's probably better to use the CSP Identity Protection Configuration Profiles. Generally, do one or the other but not both (if you don't set them exactly the same there will be a policy conflict).
The default first factor is:
- PIN
- Fingerprint
- Facial Recognition
If you don't want to allow one of these methods, remove it from the list of GUIDs, per the article. If a Biometric method is available, Windows will prefer that first.
The default credential providers for the Second unlock factor credential provider include:
- Trusted Signal
- PIN
Since PIN is also available as the second factor, it is considered the "fallback" when Biometric or Trusted Signal fails (or if it isn't setup).
Please like or mark this thread as answered if it's helpful, thanks!