Forum Discussion
mlawton1986
Sep 28, 2020Copper Contributor
Enforce Windows Hello
Hi, We have an environment full of Azure AD joined Windows 10 devices. We want to enforce MFA (Hello). If we set a Windows Hello Intune policy then a user can skip therefore it is not enforced....
Thijs Lecomte
Bronze Contributor
I think you are confusing MFA and Windows Hello.
MFA can be required on Azure AD and the user has the possibility to skip registration for 14 days. After 14 days, the user is forced to register for MFA. After this, the user has to do MFA depending on the Conditional Access configuration.
Windows Hello for Business is an Intune policy but you are right that it can be skipped. I haven't found a way to force it myself. Windows Hello is device specific and the user will never be locked out of MS cloud services due to Windows Hello.
If Windows Hello is configured, the user still has the option to sign-in with a password (instead of PIN/Face) and this cannot be disabled
MFA can be required on Azure AD and the user has the possibility to skip registration for 14 days. After 14 days, the user is forced to register for MFA. After this, the user has to do MFA depending on the Conditional Access configuration.
Windows Hello for Business is an Intune policy but you are right that it can be skipped. I haven't found a way to force it myself. Windows Hello is device specific and the user will never be locked out of MS cloud services due to Windows Hello.
If Windows Hello is configured, the user still has the option to sign-in with a password (instead of PIN/Face) and this cannot be disabled
mlawton1986
Sep 28, 2020Copper Contributor
Thijs Lecomte thanks for responding.
I am a bit confused now. As far as I am aware Windows Hello for Business is MFA.... you have the devices certificate plus another form (pin, facial recognition etc.).
or are you saying that when Azure/M365 refer to MFA they are talking about password + sms/app only and Windows Hello doesn't count as MFA (e.g. for MFA registration policy, conditional access etc.)?
- Thijs LecomteSep 28, 2020Bronze ContributorYeah you are right. I am talking about M365 MFA 🙂