Win 10 Security Baseline: Issue with WHFB
Hi, I activated the Intune Win 10 security baseline on a set of devices. I know experience an issue with WHfB. My face and fingerprint is not recognized, rsp. the login process is giving an error, saying that I cannot be identified. One user reports, that when away from company WhfB works as expected, asking for face or fingerprint and as second factor a PIN. I have another policy in Intune that is giving MDM policies precedence over GPO, so I cannot understand why it works for that one user when outside of company. What settings in MDM security Baseline could possibly be the cause resp. be responsible for broken WHfB?Set User Default Credential Provider for Lock Screen
I'm using Windows 10 Enterprise 22 H2 with Intune and MECM (Co-Managed). We enforce that our users enrol for Windows Hello for business. They can use PIN or Biometric. This all works fine but when the user session locks (idle time etc.) it defaults to username/password credential provider even if the user signed into the desktop console session with a PIN. I'm aware there is a system wide policy to set the default credential provider here https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider but I am wondering if there is a method to do this per user or have the lock screen default to the credential used for the user sigin in?Azure AD Joined Hello for Business and NPS Radius Authentication
Hi guys, I am starting to roll out the Windows VPN client using L2TP to our computers which are a mixture of Hybrid Joined and Azure AD joined. All computers in the business have got Windows Hello for Business and this works well. The issue I am having is for the Azure AD joined machines only signing in with biometrics. They are unable to connect to the VPN with successfully when they use the '-UseWinlogonCredential' switch. This is not an issue with Hybrid Joined machines signing in with biometrics. I am struggling to find a solution to this problem, so for the interim those machines are simply prompting the user for their username and password which gets accepted. I suspect it's a certificate issue for Azure AD joined machines only but not too sure how to configure the NPS to allow these through. Any advice is greatly appreciated!
Enforce Windows Hello
Hi, We have an environment full of Azure AD joined Windows 10 devices. We want to enforce MFA (Hello). If we set a Windows Hello Intune policy then a user can skip therefore it is not enforced. We have tested the MFA registration policy, my understanding is that after 14 days of skipping it should lock the user out of any MS cloud service... but it doesn't, it doesn't seem to do a lot. Also - even once Hello is registered a user still has the option of logging into the desktop using username and password and therefore bypassing the MFA.... Has anyone got anything similar working? Thanks
