Set User Default Credential Provider for Lock Screen
I'm using Windows 10 Enterprise 22 H2 with Intune and MECM (Co-Managed). We enforce that our users enrol for Windows Hello for business. They can use PIN or Biometric. This all works fine but when the user session locks (idle time etc.) it defaults to username/password credential provider even if the user signed into the desktop console session with a PIN. I'm aware there is a system wide policy to set the default credential provider here https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider but I am wondering if there is a method to do this per user or have the lock screen default to the credential used for the user sigin in?
Windows hello for business for Hybrid Entra Join
Environment: -No UPN matching between onprem AD and Azure, Third party federation and User provisioning . -Hybrid Entra Joined devices -Enrolled to Intune using device credentials as SCCM is setup with co management (Cloud Attach). Question: Whether setting up Windows hello for business (Which was working before enrollment) using GPO / or Intune. An error is returned. Pin: "this sign in option is only available when connected to your organization's network" "Fingerprint and Face" "The option is currently unavailable" Multiple methods to setup WFH was attempted and none worked so far. -Devices -> Win 10 -> Enrollment -> "Configure Windows hello for business" -Using Custom settings as described here(CSP or GPO): https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure -Biometrics devices updated/ Windows updates installed/ All devices and users affected in the organization. -What could be the issue? Any best effort to get the windows hello for business working again?
WHFB-Cloud Kerberos Trust Compatible for Server 2012 R2
Hi We have Hybrid AAD join environment and currently have DC : 2012 R2 along with ADC 2019. Currently we have Cloud Kerberos Model and need to configure WHFB via GPO. Does 2012 R2 compatible for that or do we need to upgrade that to Server 2016. Any suggestion or experience? Already go through below Microsoft Ref link, that mentioned that Server 2016 is minimum requirement. However 2012 R2 is production one so don't want to upgrade that. Does Window Hello for Business workable in that scenario https://learn.microsoft.com/en-gb/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intuneWindows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Hello, I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices. I recently enabled HAADJ in AAD Connect. As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device. The issue I encounter is with the Windows Hello for Business prompt. When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN. You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync. The devices are HAADJ but not enrolled into Intune for MDM. In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured. I also changed this to Disabled, but the users still get the prompt. I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled. It was previously set to Not Configured. This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business, Click here to setup you PIN. I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings. End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business. Any ideas?
Windows Hello for Business: Hybrid Certificate Trust + Modern Management - NDES RA
Contoso wants to implement Windows Hello for Business. Walking through the "Planning a Windows Hello for Business Deployment" process with Contoso resulted in the following deployment parameters: 1. Hybrid - customer has AD and Azure AD (federated environment with ADFS) 2. Certificate Trust - customer already has ADCS PKI and wants to reuse WHFB certificates for other purposes (e.g., AlwaysOn VPN.) 3. All PCs are Hybrid Azure AD Joined (no non-domain-joined PCs; no Azure AD Joined PCs.) 4. Contoso wants to use Modern Management (Intune) policy to manage the WHFB PCs - not Group Policy. Note that Contoso is a federated environment, so they could use group policy and an ADFS RA. But they don't want to (creates another dependency on ADFS, which is undesirable.) Above requirements yield a need for an NDES Registration Authority. The Windows Hello for Business Hybrid Certificate Trust Deployment Guide does not document this scenario with modern management and an NDES RA. It only describes deployment with Group Policy management and an AD FS RA. (link: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) Is it supported to deploy Windows Hello for Business Hybrid Certificate Trust using only modern management and an NDES RA? (Note: I can supply the WHFB planning worksheet for Contoso.)
