Forum Discussion
Rollout Windows hello for Business
Hello,
I would like to roll out Windows Hello for Business (cloud trust). The configuration with Endpoint Manager is complete. Everything works very well for new installations.
There are problems with clients with activated Windows Hello (without Business). The only option here is to delete the Windows Hello configuration and then log on to the client with TPA. Windows Hello for Business can then be configured. Is there a better way to configure it for existings cliens with active windows hello (without Business)?
If the user first login with password the PIN create runs in a timeout with the information it needs more secure informaton. The user has no MFA configured.
Thanks for your help
Stefan
StefanKi To make the migration smoother, you can use a PowerShell script distributed through Intune to perform a destructive PIN reset. This will remove existing credentials, forcing users to configure the PIN again. It is also useful to configure Temporary Access Pass (TPA) in Azure AD, which will allow users without MFA to securely reset the PIN. In addition, implementing compliance and conditional access policies will ensure that the PIN reset is completed within a set time interval, requiring the use of MFA or TPA. In this way, you will ensure that old credentials are removed and that all users are guided through a secure process for setting up Windows Hello for Business.
StefanKi Hello, the issue you are experiencing is partly related to the very nature of the transition from Windows Hello Personal to Windows Hello for Business. There is no fully automated way to migrate users without a minimum amount of user intervention, especially given the critical role of MFA in WHfB (Cloud Trust). However, automating the removal of existing credentials and implementing MFA will make the migration process smoother.
- Thanks for the information.
How can I make the process: “However, by automating the removal of existing credentials and implementing MFA, the migration process will be smoother.” ?
I was thinking of a way via Destructive PIN reset and TPA. Here I can define a time period in which the PIN must be reset. The TPA must be used for the pin reset.
How can I switch between non-destructive and destructive pin reset?StefanKi To make the migration smoother, you can use a PowerShell script distributed through Intune to perform a destructive PIN reset. This will remove existing credentials, forcing users to configure the PIN again. It is also useful to configure Temporary Access Pass (TPA) in Azure AD, which will allow users without MFA to securely reset the PIN. In addition, implementing compliance and conditional access policies will ensure that the PIN reset is completed within a set time interval, requiring the use of MFA or TPA. In this way, you will ensure that old credentials are removed and that all users are guided through a secure process for setting up Windows Hello for Business.
