Enforce Windows Hello

%3CLINGO-SUB%20id%3D%22lingo-sub-1720033%22%20slang%3D%22en-US%22%3EEnforce%20Windows%20Hello%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1720033%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20have%20an%20environment%20full%20of%20Azure%20AD%20joined%20Windows%2010%20devices.%3C%2FP%3E%3CP%3EWe%20want%20to%20enforce%20MFA%20(Hello).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20set%20a%20Windows%20Hello%20Intune%20policy%20then%20a%20user%20can%20skip%20therefore%20it%20is%20not%20enforced.%20We%20have%20tested%20the%20MFA%20registration%20policy%2C%20my%20understanding%20is%20that%20after%2014%20days%20of%20skipping%20it%20should%20lock%20the%20user%20out%20of%20any%20MS%20cloud%20service...%20but%20it%20doesn't%2C%20it%20doesn't%20seem%20to%20do%20a%20lot.%3C%2FP%3E%3CP%3EAlso%20-%20even%20once%20Hello%20is%20registered%20a%20user%20still%20has%20the%20option%20of%20logging%20into%20the%20desktop%20using%20username%20and%20password%20and%20therefore%20bypassing%20the%20MFA....%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20got%20anything%20similar%20working%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1720033%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHello%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHello%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1720231%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20Windows%20Hello%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1720231%22%20slang%3D%22en-US%22%3EI%20think%20you%20are%20confusing%20MFA%20and%20Windows%20Hello.%3CBR%20%2F%3E%3CBR%20%2F%3EMFA%20can%20be%20required%20on%20Azure%20AD%20and%20the%20user%20has%20the%20possibility%20to%20skip%20registration%20for%2014%20days.%20After%2014%20days%2C%20the%20user%20is%20forced%20to%20register%20for%20MFA.%20After%20this%2C%20the%20user%20has%20to%20do%20MFA%20depending%20on%20the%20Conditional%20Access%20configuration.%3CBR%20%2F%3E%3CBR%20%2F%3EWindows%20Hello%20for%20Business%20is%20an%20Intune%20policy%20but%20you%20are%20right%20that%20it%20can%20be%20skipped.%20I%20haven't%20found%20a%20way%20to%20force%20it%20myself.%20Windows%20Hello%20is%20device%20specific%20and%20the%20user%20will%20never%20be%20locked%20out%20of%20MS%20cloud%20services%20due%20to%20Windows%20Hello.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20Windows%20Hello%20is%20configured%2C%20the%20user%20still%20has%20the%20option%20to%20sign-in%20with%20a%20password%20(instead%20of%20PIN%2FFace)%20and%20this%20cannot%20be%20disabled%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

We have an environment full of Azure AD joined Windows 10 devices.

We want to enforce MFA (Hello).

 

If we set a Windows Hello Intune policy then a user can skip therefore it is not enforced. We have tested the MFA registration policy, my understanding is that after 14 days of skipping it should lock the user out of any MS cloud service... but it doesn't, it doesn't seem to do a lot.

Also - even once Hello is registered a user still has the option of logging into the desktop using username and password and therefore bypassing the MFA.... 

 

Has anyone got anything similar working?

 

Thanks

3 Replies
Highlighted
I think you are confusing MFA and Windows Hello.

MFA can be required on Azure AD and the user has the possibility to skip registration for 14 days. After 14 days, the user is forced to register for MFA. After this, the user has to do MFA depending on the Conditional Access configuration.

Windows Hello for Business is an Intune policy but you are right that it can be skipped. I haven't found a way to force it myself. Windows Hello is device specific and the user will never be locked out of MS cloud services due to Windows Hello.

If Windows Hello is configured, the user still has the option to sign-in with a password (instead of PIN/Face) and this cannot be disabled
Highlighted

@Thijs Lecomte thanks for responding.

 

I am a bit confused now. As far as I am aware Windows Hello for Business is MFA.... you have the devices certificate plus another form (pin, facial recognition etc.).

or are you saying that when Azure/M365 refer to MFA they are talking about password + sms/app only and Windows Hello doesn't count as MFA (e.g. for MFA registration policy, conditional access etc.)?

Highlighted
Yeah you are right. I am talking about M365 MFA :)