Forum Discussion
Solved
Rollout Windows hello for Business
Hello, I would like to roll out Windows Hello for Business (cloud trust). The configuration with Endpoint Manager is complete. Everything works very well for new installations. There are probl...
StefanKi To make the migration smoother, you can use a PowerShell script distributed through Intune to perform a destructive PIN reset. This will remove existing credentials, forcing users to configure the PIN again. It is also useful to configure Temporary Access Pass (TPA) in Azure AD, which will allow users without MFA to securely reset the PIN. In addition, implementing compliance and conditional access policies will ensure that the PIN reset is completed within a set time interval, requiring the use of MFA or TPA. In this way, you will ensure that old credentials are removed and that all users are guided through a secure process for setting up Windows Hello for Business.
StefanKi Hello, the issue you are experiencing is partly related to the very nature of the transition from Windows Hello Personal to Windows Hello for Business. There is no fully automated way to migrate users without a minimum amount of user intervention, especially given the critical role of MFA in WHfB (Cloud Trust). However, automating the removal of existing credentials and implementing MFA will make the migration process smoother.
- Thanks for the information.
How can I make the process: “However, by automating the removal of existing credentials and implementing MFA, the migration process will be smoother.” ?
I was thinking of a way via Destructive PIN reset and TPA. Here I can define a time period in which the PIN must be reset. The TPA must be used for the pin reset.
How can I switch between non-destructive and destructive pin reset?StefanKi To make the migration smoother, you can use a PowerShell script distributed through Intune to perform a destructive PIN reset. This will remove existing credentials, forcing users to configure the PIN again. It is also useful to configure Temporary Access Pass (TPA) in Azure AD, which will allow users without MFA to securely reset the PIN. In addition, implementing compliance and conditional access policies will ensure that the PIN reset is completed within a set time interval, requiring the use of MFA or TPA. In this way, you will ensure that old credentials are removed and that all users are guided through a secure process for setting up Windows Hello for Business.
micheleariis Thank you for your awesome support.
That's a very good idea. That way I can simplify the rollout for the user.
1) Create a TAP for the user
2) Provide script (store - then the user can set the time, in a time frame, himself)
3) After the restart, the user can perform a pin reset on the start page
