Enforce Windows Hello for Business for selective users

Copper Contributor



We have configured Windows Hello for Business in a Hybrid Azure AD joined environment and this works absolutely fine. Now we have the following requirement - 


- At the Windows Login prompt - We need to enforce users to use Windows Hello For Business. This is easily achieved using the Security Options policy - Interactive Logon - Require Windows Hello for Business. However the challenge is that this is a computer configuration policy hence can't be enforced for particular users. So once a user is signed in - and if a support personnel wants to run a privileged program aka Run-as or Run as Administrator. Then the pop-up does not accept the userid and password instead enforces Windows Hello for Business which is impractical as the support personnel is most cases is remote. 


So the question is - how to we enforce Windows Hello for Business for a selective set of users only and not for local administrators or a predefined domain security group. 




0 Replies