Is it possible to disable WHFB but allow local Windows Hello?

Copper Contributor

We have WHFB enabled through the intune  policy for all devices.

We're having issues on recently added hybrid-joined devices, they get errors when using Hello Authetification methods because we don't have any certificate infrastructure.

I can disable WHFB through a configuration profile for all hybrid joined devices and that works well, but those devices now can't use their fingerprint readers and are forced to use password authentication.

Before the hybrid join, they had local Windows Hello authentication methods like fingerprint or face unlock configured and this configuration now seems to be gone and can't be re-enabled. The windows settings say that the organisation has disabled Windows Hello.


Is there a way to disable our global WHFB policy for our hybrid-joined devices but allow them to use local/personal windows Hello authentication methods?


3 Replies
Have you turned on Turn on convenience PIN sign-in policy?

Just tried enabling convenience PIN through intune and through GPO, both won't work. I guess the WHFB disable by intune has higher priority.

EDIT: Just found out that in fact, as soon as WHFB is set to enabled or disabled at some point, that always overwrites convenience PIN. Now I'm trying to narrow the current global scope of WHFB

Does anyone know if I can switch from the Windows Enrollment WHFB policy to the Device configuration profile for WHFB without any issues on the clients?