Forum Discussion
Windows Hello enforces 2FA
In a school environment we want to use Windows Hello.
If I disable it, all users can sign into AzureAD managed devices easily. However they cannot enable Windows Hello (face)
If I enable Windows Hello via a Device Configuration profile then user is able to setup Windows Hello. However on the next login they are required to setup a 2FA device which is inappropriate for Students.
How can I enable Windows Hello without the need for 2FA?
8 Replies
Hi AndrewManning,
as soon as you have Azure AD joined devices you are in a corporate management scenario. The way Windows Hello for Business (WHfB) works is to strongly verify the user identity before it will map the public key to the user account in Azure AD during the registration process. WHfB is a credential based on a asymmetrical key pair. The private key never leaves your device and the public must be stored in AAD your identity provider. To store it there, the user must be strongly authenticated during this registration process. There is no way around this in an Azure AD joined device scenario.
You are looking for the convenience PIN for AADJ devices, but this is not available/supported, see here:
Can I use a convenience PIN with Azure AD?
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.
best,
Oliver- Windows Hello for Business requires 2FA, so there is no way around it.
I would advise you to try your students to utilize 2FA.
Todays kids are used to this from their iPhone/Android phone and are tech savvy enough to walk through it- Windows Hello doesn’t require 2FA on a Windows domain, so why does it require it when the device is managed by Intune?
All of our Students are under 11 years old. I do not think that expecting them to have a mobile is really acceptable.- There is a big difference between Windows Hello and Windows Hello for Business
Check out this article for more info: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
