Forum Discussion

StefanKi's avatar
StefanKi
Iron Contributor
Oct 19, 2024
Solved

Rollout Windows hello for Business

Hello,   I would like to roll out Windows Hello for Business (cloud trust). The configuration with Endpoint Manager is complete. Everything works very well for new installations. There are probl...
Passwordless Authentication
  • micheleariis's avatar
    micheleariis
    Oct 21, 2024

    StefanKi To make the migration smoother, you can use a PowerShell script distributed through Intune to perform a destructive PIN reset. This will remove existing credentials, forcing users to configure the PIN again. It is also useful to configure Temporary Access Pass (TPA) in Azure AD, which will allow users without MFA to securely reset the PIN. In addition, implementing compliance and conditional access policies will ensure that the PIN reset is completed within a set time interval, requiring the use of MFA or TPA. In this way, you will ensure that old credentials are removed and that all users are guided through a secure process for setting up Windows Hello for Business.

StefanKi's avatar
StefanKi
Iron Contributor
Oct 21, 2024
Thanks for the information.
How can I make the process: “However, by automating the removal of existing credentials and implementing MFA, the migration process will be smoother.” ?
I was thinking of a way via Destructive PIN reset and TPA. Here I can define a time period in which the PIN must be reset. The TPA must be used for the pin reset.
How can I switch between non-destructive and destructive pin reset?
micheleariis's avatar
micheleariis
MCT
Oct 21, 2024

StefanKi To make the migration smoother, you can use a PowerShell script distributed through Intune to perform a destructive PIN reset. This will remove existing credentials, forcing users to configure the PIN again. It is also useful to configure Temporary Access Pass (TPA) in Azure AD, which will allow users without MFA to securely reset the PIN. In addition, implementing compliance and conditional access policies will ensure that the PIN reset is completed within a set time interval, requiring the use of MFA or TPA. In this way, you will ensure that old credentials are removed and that all users are guided through a secure process for setting up Windows Hello for Business.

  • StefanKi's avatar
    StefanKi
    Iron Contributor
    Oct 21, 2024

    micheleariis  Thank you for your awesome support. 

     

    That's a very good idea. That way I can simplify the rollout for the user.

     

    1) Create a TAP for the user
    2) Provide script (store - then the user can set the time, in a time frame, himself)
    3) After the restart, the user can perform a pin reset on the start page

    • micheleariis's avatar
      micheleariis
      MCT
      Oct 21, 2024

      StefanKi Well, I'm glad I could help you 🙂
      Bye-bye

Resources