Forum Discussion
Excluding Windows Hello for Business (WHfB) for Windows 10 using Intune assignment filter
Hy,
Key Points:
- Intune Policy Exclusion Only Prevents New Policy Delivery
- When you exclude a device with a filter, Intune does not deliver the policy to that device.
- It does NOT actively remove or disable WHfB if it was previously enabled by another policy, by default, or by manual configuration.
2. WHfB Can Be Enabled by Other Mean
WHfB can be enabled by:
- Entra AD tenant-wide settings
- Group Policy (local or domain)
- Previous Intune policies (before exclusion)
- Default Windows behavior (especially on Azure AD-joined devices)
- If WHfB was previously enabled, removing the policy does not revert the setting—it simply stops further configuration.
3.PIN Removal Disabled
- If WHfB is enabled at the tenant or device level, Windows disables PIN removal for compliance/security reasons.
- The “Remove” button is greyed out if the device still considers WHfB required.
4. Event Log Errors
- The generic errors (e.g., 7054, 8203) are common when there is a mismatch between policy delivery and device state.
What Can You Do?
A. Explicitly Disable WHfB for Windows 10 Devices
Create a device configuration profile that explicitly disables WHfB (set “Configure Windows Hello for Business” to “Disabled”).
Assign this profile to Windows 10 devices (using a dynamic group or filter).
This will actively turn off WHfB and allow PIN removal.
B. Check Tenant-Wide and Group Policy Settings
In Entra AD: Go to Entra AD > Devices > Windows Hello for Business and check the tenant-wide settings.
In Group Policy: Check if any local/domain GPO is enabling WHfB.
C. Remove Existing PINs
After disabling WHfB, users should be able to remove their PIN.
You may need to reboot or force a sync for the change to take effect.
Good luck!