Windows Hello enforces 2FA

%3CLINGO-SUB%20id%3D%22lingo-sub-1408275%22%20slang%3D%22en-US%22%3EWindows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408275%22%20slang%3D%22en-US%22%3E%3CP%3EIn%26nbsp%3B%20a%20school%20environment%20we%20want%20to%20use%20Windows%20Hello.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20disable%20it%2C%20all%20users%20can%20sign%20into%20AzureAD%20managed%20devices%20easily.%20However%20they%20cannot%20enable%20Windows%20Hello%20(face)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20enable%20Windows%20Hello%20via%20a%20Device%20Configuration%20profile%20then%20user%20is%20able%20to%20setup%20Windows%20Hello.%20However%20on%20the%20next%20login%20they%20are%20required%20to%20setup%20a%202FA%20device%20which%20is%20inappropriate%20for%20Students.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20enable%20Windows%20Hello%20without%20the%20need%20for%202FA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1408275%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413680%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413680%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%20requires%202FA%2C%20so%20there%20is%20no%20way%20around%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20advise%20you%20to%20try%20your%20students%20to%20utilize%202FA.%3CBR%20%2F%3E%3CBR%20%2F%3ETodays%20kids%20are%20used%20to%20this%20from%20their%20iPhone%2FAndroid%20phone%20and%20are%20tech%20savvy%20enough%20to%20walk%20through%20it%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413701%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413701%22%20slang%3D%22en-US%22%3EWindows%20Hello%20doesn%E2%80%99t%20require%202FA%20on%20a%20Windows%20domain%2C%20so%20why%20does%20it%20require%20it%20when%20the%20device%20is%20managed%20by%20Intune%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAll%20of%20our%20Students%20are%20under%2011%20years%20old.%20I%20do%20not%20think%20that%20expecting%20them%20to%20have%20a%20mobile%20is%20really%20acceptable.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413706%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413706%22%20slang%3D%22en-US%22%3EThere%20is%20a%20big%20difference%20between%20Windows%20Hello%20and%20Windows%20Hello%20for%20Business%3CBR%20%2F%3E%3CBR%20%2F%3ECheck%20out%20this%20article%20for%20more%20info%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-overview%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413719%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413719%22%20slang%3D%22en-US%22%3ESo%20can%20we%20enable%20Windows%20Hello%20on%20devices%2C%20rather%20than%20Windows%20Hello%20for%20Business%20via%20Intune%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413723%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413723%22%20slang%3D%22en-US%22%3EAFAIK%2C%20there%20is%20no%20way%20to%20do%20this%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413739%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413739%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Device%20Restriction%20profile%20there%20is%20one%20called%20%22%3CSPAN%3EWindows%20Hello%20device%20authentication%22%20(it%20does%20not%20mention%20Business).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20wonder%20if%20this%20would%20allow%20it%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20would%20need%20to%20do%20some%20testing%20first%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413745%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413745%22%20slang%3D%22en-US%22%3EI%20checked%20the%20docs%2C%20this%20doesn't%20do%20what%20you%20desire%3A%3CBR%20%2F%3EWindows%20Hello%20device%20authentication%3A%20Allow%20users%20to%20use%20a%20Windows%20Hello%20companion%20device%2C%20such%20as%20a%20phone%2C%20fitness%20band%2C%20or%20IoT%20device%2C%20to%20sign%20in%20to%20a%20Windows%2010%20computer.%20When%20set%20to%20Not%20configured%20(default)%2C%20Intune%20doesn't%20change%20or%20update%20this%20setting.%20By%20default%2C%20the%20OS%20might%20prevent%20Windows%20Hello%20companion%20devices%20from%20authenticating.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdevice-restrictions-windows-10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdevice-restrictions-windows-10%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415996%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20enforces%202FA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415996%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F675531%22%20target%3D%22_blank%22%3E%40AndrewManning%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eas%20soon%20as%20you%20have%20Azure%20AD%20joined%20devices%20you%20are%20in%20a%20corporate%20management%20scenario.%20The%20way%20Windows%20Hello%20for%20Business%20(WHfB)%20works%20is%20to%20strongly%20verify%20the%20user%20identity%20before%20it%20will%20map%20the%20public%20key%20to%20the%20user%20account%20in%20Azure%20AD%20during%20the%20registration%20process.%20WHfB%20is%20a%20credential%20based%20on%20a%20asymmetrical%20key%20pair.%20The%20private%20key%20never%20leaves%20your%20device%20and%20the%20public%20must%20be%20stored%20in%20AAD%20your%20identity%20provider.%20To%20store%20it%20there%2C%20the%20user%20must%20be%20strongly%20authenticated%20during%20this%20registration%20process.%20There%20is%20no%20way%20around%20this%20in%20an%20Azure%20AD%20joined%20device%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20are%20looking%20for%20the%20convenience%20PIN%20for%20AADJ%20devices%2C%20but%20this%20is%20not%20available%2Fsupported%2C%20see%20here%3A%3C%2FP%3E%0A%3CH2%20id%3D%22can-i-use-a-convenience-pin-with-azure-ad%22%20id%3D%22toc-hId--1330337716%22%20id%3D%22toc-hId--1329559270%22%3ECan%20I%20use%20a%20convenience%20PIN%20with%20Azure%20AD%3F%3C%2FH2%3E%0A%3CP%3EIt%20is%20currently%20possible%20to%20set%20a%20convenience%20PIN%20on%20Azure%20Active%20Directory%20Joined%20or%20Hybrid%20Active%20Directory%20Joined%20devices.%20Convenience%20PIN%20is%20not%20supported%20for%20Azure%20Active%20Directory%20user%20accounts.%20It%20is%20only%20supported%20for%20on-premises%20Domain%20Joined%20users%20and%20local%20account%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-faq%23can-i-use-a-convenience-pin-with-azure-ad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-faq%23can-i-use-a-convenience-pin-with-azure-ad%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3CBR%20%2F%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

In  a school environment we want to use Windows Hello.

 

If I disable it, all users can sign into AzureAD managed devices easily. However they cannot enable Windows Hello (face)

 

If I enable Windows Hello via a Device Configuration profile then user is able to setup Windows Hello. However on the next login they are required to setup a 2FA device which is inappropriate for Students.

 

How can I enable Windows Hello without the need for 2FA?

8 Replies
Windows Hello for Business requires 2FA, so there is no way around it.

I would advise you to try your students to utilize 2FA.

Todays kids are used to this from their iPhone/Android phone and are tech savvy enough to walk through it
Windows Hello doesn’t require 2FA on a Windows domain, so why does it require it when the device is managed by Intune?

All of our Students are under 11 years old. I do not think that expecting them to have a mobile is really acceptable.
There is a big difference between Windows Hello and Windows Hello for Business

Check out this article for more info: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overv...

So can we enable Windows Hello on devices, rather than Windows Hello for Business via Intune?


AFAIK, there is no way to do this

@Thijs Lecomte 

 

In Device Restriction profile there is one called "Windows Hello device authentication" (it does not mention Business).

I wonder if this would allow it?

 

I would need to do some testing first 

I checked the docs, this doesn't do what you desire:
Windows Hello device authentication: Allow users to use a Windows Hello companion device, such as a phone, fitness band, or IoT device, to sign in to a Windows 10 computer. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent Windows Hello companion devices from authenticating.

https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10

Hi @AndrewManning,

 

as soon as you have Azure AD joined devices you are in a corporate management scenario. The way Windows Hello for Business (WHfB) works is to strongly verify the user identity before it will map the public key to the user account in Azure AD during the registration process. WHfB is a credential based on a asymmetrical key pair. The private key never leaves your device and the public must be stored in AAD your identity provider. To store it there, the user must be strongly authenticated during this registration process. There is no way around this in an Azure AD joined device scenario.

 

You are looking for the convenience PIN for AADJ devices, but this is not available/supported, see here:

Can I use a convenience PIN with Azure AD?

It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.

 

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#c...

 

best,
Oliver