Forum Discussion
Excluding Windows Hello for Business (WHfB) for Windows 10 using Intune assignment filter
Good morning,
I'm experiencing a persistent issue with applying an exclusion policy for Windows Hello for Business (WHfB) on Windows 10 devices (actually a testing VM) managed through Microsoft Intune. Despite configuring the assignment filter and verifying its correct evaluation in Intune, Windows 10 devices continue to allow WHfB PIN creation, and the option to remove the PIN is disabled.
Scenario and objective:
My goal is to enable Windows Hello for Business for all users except when they log in from a Windows 10 device (already enrolled in Intune). Therefore, the intention is to disable WHfB specifically for Windows 10 devices.
Current configuration:
- WHfB policy: I have a device configuration profile named “WHfB” (Platform: Windows) which enables Windows Hello for Business.
- Policy assignment: This policy is assigned to a “WHfB Dynamic Group” that contains users with the “manager” attribute.
- Assignment filter (exclusion): I created and applied an assignment filter named “Windows 10 Device Filter” to the policy mentioned above.
- Filter mode: Exclude.
- Filter definition: (device.osVersion -contains "10.0.1")
Observed behavior:
Filter evaluation in Intune (as shown in the previously provided screenshot):
For the problematic Windows 10 device, in the “Filter Evaluation” section of the “WHfB” policy, the “Windows 10 Device Filter” shows “Evaluation Result: Match” and “Mode: Exclude.” The message states “Policy not delivered.” This confirms that the filter is working correctly in Intune and that the WHfB policy is not applied to the Windows 10 device.
Behavior on the Windows 10 device:
Despite the exclusion, the user (AdeleV) can still modify and use the WHfB PIN.
The “Remove” PIN option is disabled (greyed out) in sign-in options.
Windows Event Logs (HelloForBusiness/Operational):
The log displays several errors (Event IDs 7054, 8203, 7204) and informational events (8210, 8200, 8202, 5060 “PIN required”).
Event 7054 specifically indicates error 0x1 (or 0x80000000000000001), which is a generic error.
Troubleshooting steps performed:
- Forced sync and restarts: executed multiple times on the Windows 10 device. Sync status in Intune for the “WHfB” policy sometimes shows “Unavailable,” but filter evaluation is always “Match/Exclude.”
- OS version verification: The OS version on the device (10.0.19045.3803) confirms that the string “10.0.1” is contained, so the filter syntax is correct.
- Policy conflict search: I reviewed the device’s configuration profiles and compliance policies applied via Intune, but didn’t identify any obvious conflicts or other policies that explicitly enable WHfB.
Question:
Given that my WHfB exclusion filter works correctly, but WHfB is still enabled on the Windows 10 device (and the PIN can’t be removed, with a generic error in the log), what could be the root cause?
2 Replies
Hy,
Key Points:
- Intune Policy Exclusion Only Prevents New Policy Delivery
- When you exclude a device with a filter, Intune does not deliver the policy to that device.
- It does NOT actively remove or disable WHfB if it was previously enabled by another policy, by default, or by manual configuration.
2. WHfB Can Be Enabled by Other Mean
WHfB can be enabled by:
- Entra AD tenant-wide settings
- Group Policy (local or domain)
- Previous Intune policies (before exclusion)
- Default Windows behavior (especially on Azure AD-joined devices)
- If WHfB was previously enabled, removing the policy does not revert the setting—it simply stops further configuration.
3.PIN Removal Disabled
- If WHfB is enabled at the tenant or device level, Windows disables PIN removal for compliance/security reasons.
- The “Remove” button is greyed out if the device still considers WHfB required.
4. Event Log Errors
- The generic errors (e.g., 7054, 8203) are common when there is a mismatch between policy delivery and device state.
What Can You Do?
A. Explicitly Disable WHfB for Windows 10 Devices
Create a device configuration profile that explicitly disables WHfB (set “Configure Windows Hello for Business” to “Disabled”).
Assign this profile to Windows 10 devices (using a dynamic group or filter).
This will actively turn off WHfB and allow PIN removal.
B. Check Tenant-Wide and Group Policy Settings
In Entra AD: Go to Entra AD > Devices > Windows Hello for Business and check the tenant-wide settings.
In Group Policy: Check if any local/domain GPO is enabling WHfB.
C. Remove Existing PINs
After disabling WHfB, users should be able to remove their PIN.
You may need to reboot or force a sync for the change to take effect.Good luck!
Maybe check in the MDM diagnostic log if WHfB is being configured through some other Intune policy like baseline or perhaps through a tenant wide policy. I’ll also suggest to try using Account protection under endpoint security for configuring WHfB.
