Can't Disable Default Windows Hello for Business Policy

Copper Contributor



I have a problem in Microsoft Intune, i cant disable the default Policy That enable Windows Hello for Business.


Best regards

6 Replies

Hi @awaaziz,


sadly the attached picture is not loading for me, so I can't comment on this, but in general as long as you are Intune Administrator you should have the option to modify the global policy under Home > Devices > Enroll Devices > Windows Enrollment > Windows Hello for Business (see attachment WHfB.png), just set it to Disabled (compare second screenshot WHfB2.png).


BTW, there is also an option to create a dedicated configuration profile to control this. So instead of modifying the global policy, you can leave it to "not configured" and create the Identity Protection configuration profile for Windows 10 and set the value there to disable (compare screenshot WHfBviaConfigProfile.png)




@Oliver Kieselbach Thanks for your reply.

The problem is with the default strategy, it is activated when I want to set it to unconfigured, nothing happens and the save button is greyed out.

I know very well that normally I must have the authorizations to modify it.

There is no policy configured in the Identity Protection section.


I have attached again the screen shot



This is not a normal behavior, I checked two tenants for you and I'm able to set it to "not configured" and I can save this successfully. You should have the same experience.




Maybe try a different browser? I used latest Edge (Chromium bsed).

Verify your credentials once again, use a Global Admin just to be sure.




I have created an account in the cloud and I assign the role of General Administrator to it and always the same problem

I have tested other Edge Firefox browsers and still have the same problem.

Hi @awaaziz,


I guess you are talking about the Global Administrator when you wrote General Administrator, there is no General Administrator. So, that's fine if you are Global Administrator... you really should be able to set this then. I guess you also don't have any PIM activated, when you wrote you assigned it to the role. 


Did you try a simple thing like setting it to one of the values Enable -> Save, and next try setting it to Disable -> save... does it change somehow anything that you are maybe after these multiple savings able to set it to not configured?


If not, I guess you have to open a ticket, maybe it's a specific tenant problem then. I verified now in 3 tenants and can set it in all of them to not configured without any issues. The UI behaves always normally.




@Oliver Kieselbach Hello Olivier,

thank's for your support.

I found the solution, the problem came from the MDM authority declared in Microsoft Endpoint Manager, I saw that it was on Microsoft 365 MDM and I switched it to Microsoft Intune and it works.