May 21 2020 04:22 AM
In a school environment we want to use Windows Hello.
If I disable it, all users can sign into AzureAD managed devices easily. However they cannot enable Windows Hello (face)
If I enable Windows Hello via a Device Configuration profile then user is able to setup Windows Hello. However on the next login they are required to setup a 2FA device which is inappropriate for Students.
How can I enable Windows Hello without the need for 2FA?
May 23 2020 07:29 AM
May 23 2020 07:34 AM
May 23 2020 07:38 AM
May 23 2020 07:42 AM
May 23 2020 07:56 AM
In Device Restriction profile there is one called "Windows Hello device authentication" (it does not mention Business).
I wonder if this would allow it?
I would need to do some testing first
May 23 2020 07:59 AM
May 25 2020 04:58 AM
Hi @AndrewManning,
as soon as you have Azure AD joined devices you are in a corporate management scenario. The way Windows Hello for Business (WHfB) works is to strongly verify the user identity before it will map the public key to the user account in Azure AD during the registration process. WHfB is a credential based on a asymmetrical key pair. The private key never leaves your device and the public must be stored in AAD your identity provider. To store it there, the user must be strongly authenticated during this registration process. There is no way around this in an Azure AD joined device scenario.
You are looking for the convenience PIN for AADJ devices, but this is not available/supported, see here:
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.
best,
Oliver