Mar 19 2021
- last edited on
Jan 14 2022
Could somebody please direct me on how to verify the method of Windows Hello being used?
We have Windows 10 machines enrolled and managed in Intune and hybrid azure ad joined as part of a hybrid identity model with Password Hash Sync configured.
I have a portion of Surface devices which have recently received an update from 1909 to 20H2.
After the update, at the next login, a toast notification is displayed to encourage the use of Windows Hello (see screenshot). Note, we have not enable the settings for Windows Hello for Business yet.
The user can setup the camera recognition and PIN and it works and continues to work after several reboots. This is curious, as our work on prerequisites for getting Windows Hello for Business working in the hybrid environment hasn't started yet.
The experience for configured Windows Hello appeared to be slightly different to what I had seen before. For example, when controlling elsewhere, I have been used to the initial full blue screen enrolment for WHFB.
To remove the Windows Hello functionality for the user, I ran certutil.exe -deleteHelloContainer as the logged in user, this remove the associated biometric and PIN after a logoff/reboot.
I enabled WHFB on that same device using local policy editor under the 'User Configuration\Windows Components\Windows Hello for Business\Use Windows Hello for Business' and rebooted. On next login, I get a full blue screen WHFB prompt, which I would normally expect, an MFA prompt from Azure AD and I can then setup camera biometric PIN for log in.
After attempting to lock, logoff or reboot, I cannot login use the camera or PIN as it returns as error saying 'Your credentials could not be verified'. I would expect this error, because the prerequisite work to enable WHFB in a hybrid environment hasn't been done.
So my question is, when user configured the Windows Hello option (advertised in the toast notification after the 20H2 update) how can I check which method of of Windows Hello is being used and how is that functioning.
Is this somehow using Windows Hello as opposed to Windows Hello for Business?
Oct 11 2022 12:14 PM - edited Oct 11 2022 12:15 PM
@JHensUSMC the way I managed this was tweaking the registry so this type of enrolment is never presented to a user. I wrote a blog on the problem and registry tweak. I hope it helps - https://www.teamas.co.uk/2021/07/disable-misleading-windows-hello-for.html