Windows Hello for Business
5 TopicsWHfB prompting for password at first login
Hi All, I can't seem to get these Intune policies correct for WHfB (Windows Hello for Business) I want WHfB active using a pin for a customer. I have a test VM setup and registered with WHfB correctly. When you first power on the machine and login, there is no prompt for a pin, only the M365 password. Once logged in, I can lock, or log off and I am prompted with the PIN login. I restart the VM and I am pack to having to use a password for the initial login. I have WHfB setup in the following areas Endpoint security | Account protection (Assigned to All devices and All users) Use Windows Hello for Business (Device) - True Use Windows Hello for Business (User) - True (tried without this first) Minimum PIN length - 6 Devices | Enrollment Configure Windows Hello for Business - Enabled TPM - Preferred Minimum PIN length - 6 Allow biometric - Yes Allow phone sign-in - Yes Devices | Configuration (assigned to All users & All devices) Turn on convenience PIN sign-in - Enabled Minimum PIN Length (User) - 6 Use Windows Hello For Business (User) - True Use Remote Passport - Enabled Allow Use of Biometrics - True I know there is quite some double up having this configured at all possible levels. I started with Device enrollment and a configuration profile, and then moved to Account protection. I'm currently going round in circles trying to work out why the initial login isn't prompting for a PIN. (I also built a new VM and it's doing the same thing). Although, first reboot it worked fine from memory. Thanks in advance Guru'sSolved380Views0likes3CommentsAzure AD Joined device is not honoring Windows Hello for Business Config Policy from Intune
With the availability of Cloud Kerberos Trust we are now able to deploy WHfB to our Hybrid workforce but we do have a handful of Azure AD Joined devices that we also need to deploy to, all of these devices are enrolled in Intune and our user accounts are all on-prem AD and synced to Azure. When I configured the WHfB policy using the Settings Catalog Configuration Profile and apply it to our test devices, the hybrid one works great - it obtains the settings and I can see the updates to the registry and the Windows UI reflects these settings in the WHfB setup - for example, the PIN Complexity settings were set to minimum 4 and allowed all characters, symbols, etc. However when I applied the same policy to an Azure AD Joined device, the device received the settings, made the registry changes, yet when configuring the PIN, the requirements shown on screen were not what was set in the policy. I tried changing some settings in the policy to see if the updated registry settings would affect the Windows UI but still nothing. Where could this setting be getting overwritten from or, does an AADJ device with an on-prem synced user account need to have the WHfB config set a certain way? We are not making any settings using the other methods of configuring WHfB such as Enrollment, Identity Protection Templace, Account Protection (Endpoint Security) and on-prem Group Policy cannot set WHfB policies on user accounts, only devices so this doesn't apply as it's AADJ. You can see the settings that are applied in the policy and what's reflected in the registry and then what the UI says when setting a PIN.6.2KViews1like11CommentsAllow users to choose how they sign in
Hello, I don'tfind the option "Allow users to choose how they sign in" to allow users to choose between using Windows Hello for Business or a traditional password to log in. Is it no longer supported?Or how can I just enable the Windows Hello for Business and not by force? Thank you in advance.744Views0likes1CommentWindows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue
To clarify my scenario, I'm looking to distribute 100 Laptops to users in a few months. I like Windows Hello for Business's biometrics functionality with TPM chips; I'm sure users would love its ability to unlock a screen in less than a second with a fingerprint. But I have issues with the PIN(s). Here's the use case: a user is sent a Laptop, which is enrolled in Azure through InTune and Autopilot. As part of the initial sign-in procedure the user is prompted to enter a PIN for their Windows account. This can only be numbers. This, I’m told, is unavoidable, if we want to take advantage of the other benefit of Windows Hello, such as the Biometrics (unlocking a PC with a fingerprint). I am aware that this PIN can ONLY be used on this device. Once the user is signed in, the Bitlocker automated encryption process is automatically triggered on their device. The user is then requested to create ANOTHER PIN that will allow the hard drive to be unlocked on startup, which – again – can only be numbers. Similarly, I am aware that this PIN can also only be used on this device. We want Bitlocker configured; I can see hacking attempts once Windows is booted fully becoming more frequent. My problem is that I find it hard to believe with any degree of likelihood that a user is not expected to use the same combination of numbers for both of these PINs and – as a result – this nullifies any two-factor authentication benefits to having a Bitlocker PIN on the device. Worse, it allows people local access to desktop and files just by knowing one PIN, even when booting the machine from cold. This is, if anything, less secure than having a Password on its own to unlock the device – the PIN in either case scenario cannot be set to expire. My question is, are Microsoft looking to remove the requirement for a PIN from Windows Hello for Business at any time in future because – if not – I don’t feel comfortable using it if access to devices can be achieved in such a simple way. I was hoping that being able to accommodate (and, if anything, mandate) non-numerical characters in Bitlocker PINs – as is the case with devices that are registered with a local Domain Controller, but for some reason not in Azure – may help compensate for this, but I am told this is not the case. It's not even possible to block the PIN as an option on first login after a cold boot. MarkSolved14KViews0likes2CommentsWindows Hello for Business implementation
Hi, For a couple of days now we've introduced Windows Hello for Business (WHfB) to a subset of test devices from within Intune. Everything works as expected except for one thing I guess: When someone tries to logon with a non-enterprise account (eg.@live.nl) in Teams, and/or Onedrive, the machine is prompting to authenticate with WHfB. Am I missing something? Why is this happening and how can we prevent this? Any thoughts are welcome.4KViews0likes8Comments