Forum Discussion
Win 10 Security Baseline: Issue with WHFB
did the WHfB worked before Baseline deployment?
It could be due conflincting GPO even you set the "MDM policies precedence over GPO", why -> If a GPO and MDM-CSP conflict occurs in a setting, the current GP value saved before the CSP was apllyed takes precedence.
Good luck!
Yes, it worked before. I use the default settings in the Security Baseline and WHFB is deployed via GPO. So what are the settings in the baseline that possibly conflict with GPO? I am not able to spot any when walking through the categories
Hi,
sorry for the late response.
You're likely using the 24H2 Security Baseline.
Check specifically under Windows Hello for Business Settings > Facial Features > Use enhanced anti-spoofing. This is the primary WHfB-related setting in the baseline; investigate how this option interacts with your GPO deployment.
Check the Intune | Devices | Enrollment | Windows Hello for Business settings to see if they're enabled and causing a scope or configuration mismatch with your on-premises GPO.
Use gpresult /h report.html on affected devices and compare registry keys (e.g., PassportForWork\Enabled) against baseline defaults; clear GPO links temporarily to test on one device in order for you to better understend where the mismatch ist.
Good luck!