Forum Discussion

hannessyZv's avatar
hannessyZv
Copper Contributor
Jul 19, 2023

Is it possible to disable WHFB but allow local Windows Hello?

We have WHFB enabled through the intune  policy for all devices.

We're having issues on recently added hybrid-joined devices, they get errors when using Hello Authetification methods because we don't have any certificate infrastructure.

I can disable WHFB through a configuration profile for all hybrid joined devices and that works well, but those devices now can't use their fingerprint readers and are forced to use password authentication.

Before the hybrid join, they had local Windows Hello authentication methods like fingerprint or face unlock configured and this configuration now seems to be gone and can't be re-enabled. The windows settings say that the organisation has disabled Windows Hello.

 

Is there a way to disable our global WHFB policy for our hybrid-joined devices but allow them to use local/personal windows Hello authentication methods?

 

  • hannessyZv's avatar
    hannessyZv
    Copper Contributor
    Does anyone know if I can switch from the Windows Enrollment WHFB policy to the Device configuration profile for WHFB without any issues on the clients?
    • hannessyZv's avatar
      hannessyZv
      Copper Contributor

      Just tried enabling convenience PIN through intune and through GPO, both won't work. I guess the WHFB disable by intune has higher priority.

      EDIT: Just found out that in fact, as soon as WHFB is set to enabled or disabled at some point, that always overwrites convenience PIN. Now I'm trying to narrow the current global scope of WHFB

Resources