Forum Discussion

AndrewManning's avatar
AndrewManning
Copper Contributor
May 21, 2020

Windows Hello enforces 2FA

In  a school environment we want to use Windows Hello.   If I disable it, all users can sign into AzureAD managed devices easily. However they cannot enable Windows Hello (face)   If I enable Win...
Intune
Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
May 25, 2020

Hi AndrewManning,

 

as soon as you have Azure AD joined devices you are in a corporate management scenario. The way Windows Hello for Business (WHfB) works is to strongly verify the user identity before it will map the public key to the user account in Azure AD during the registration process. WHfB is a credential based on a asymmetrical key pair. The private key never leaves your device and the public must be stored in AAD your identity provider. To store it there, the user must be strongly authenticated during this registration process. There is no way around this in an Azure AD joined device scenario.

 

You are looking for the convenience PIN for AADJ devices, but this is not available/supported, see here:

Can I use a convenience PIN with Azure AD?

It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.

 

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#can-i-use-a-convenience-pin-with-azure-ad

 

best,
Oliver

Resources