Windows Hello for Business - Biometrics

Steel Contributor

Hi all,

 

I disabled WHFB tenant wide, but created an Identity Protection configuration for it and applied it to one test machine. That works fine.

 

Reading the documentation here: https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings , it states if I leave Allow Biometrics to "Not Configured" 

 

  • Not configured (default) - Windows Hello for Business prevents biometric authentication (for all account types).

It will prevent biometrics. This doesn't appear to be the case as my test laptop is prompting for fingerprint enrollment during the WHFB setup. 

 

Is the documentation wrong? Is there anyway I can disable biometrics for a device or group of devices?

1 Reply

Hi,
We are using Account Protection profile for WH4B and it does not work like that (does not disable biometrics if it is not configured). I will switch WH4B settings from Account Protection in Endpoint Security to Identity Protection in Configuration Profiles and will let you know if I have the same result.
I'm running this simple script to disable biometrics:

$Registry = "HKLM\SOFTWARE\Policies\Microsoft\Biometrics"
if (!(Test-Path $Registry))
{
New-Item -Path "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" -Force
}
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics" /v Enabled /t REG_DWORD /d 0 /f