Forum Discussion

oryxway's avatar
oryxway
Iron Contributor
Apr 20, 2023

Enable 2FA for Hybrid Azure AD joined devices and Windows Hello for Business

I am trying to enable 2FA for HAAD joined devices using Windows Hello for Business   I followed the following article in MS documentation   https://learn.microsoft.com/en-us/windows/security/iden...
Intune
KurtBMayer's avatar
KurtBMayer
Iron Contributor
Apr 20, 2023

oryxway 

 

In general, the best practice is not to deploy tenant-wide at first, in order to provide time for testing and troubleshooting so as not to cause undue disruption if things don't work as expected the first time. As such, create a group and input pilot users or computers first to validate the deployment before proceeding with additional rollouts.

 

With that in mind, using the "Windows Enrollment" section of Intune for WHFB applies tenant-wide to the All Users scope. It also only shows a subset of the WHFB options because this is meant for a quicker, simpler deployment. Thus, if you want to get more granular about this with a phased rollout, or to leverage all options, it's probably better to use the CSP Identity Protection Configuration Profiles. Generally, do one or the other but not both (if you don't set them exactly the same there will be a policy conflict).

 

The default first factor is:

  • PIN
  • Fingerprint
  • Facial Recognition

If you don't want to allow one of these methods, remove it from the list of GUIDs, per the article. If a Biometric method is available, Windows will prefer that first. 

 

The default credential providers for the Second unlock factor credential provider include:

  • Trusted Signal
  • PIN

Since PIN is also available as the second factor, it is considered the "fallback" when Biometric or Trusted Signal fails (or if it isn't setup).

 

Please like or mark this thread as answered if it's helpful, thanks!

Resources