Excluding Windows Hello for Business (WHfB) for Windows 10 using Intune assignment filter
Good morning, I'm experiencing a persistent issue with applying an exclusion policy for Windows Hello for Business (WHfB) on Windows 10 devices (actually a testing VM) managed through Microsoft Intune. Despite configuring the assignment filter and verifying its correct evaluation in Intune, Windows 10 devices continue to allow WHfB PIN creation, and the option to remove the PIN is disabled. Scenario and objective: My goal is to enable Windows Hello for Business for all users except when they log in from a Windows 10 device (already enrolled in Intune). Therefore, the intention is to disable WHfB specifically for Windows 10 devices. Current configuration: WHfB policy: I have a device configuration profile named “WHfB” (Platform: Windows) which enables Windows Hello for Business. Policy assignment: This policy is assigned to a “WHfB Dynamic Group” that contains users with the “manager” attribute. Assignment filter (exclusion): I created and applied an assignment filter named “Windows 10 Device Filter” to the policy mentioned above. Filter mode: Exclude. Filter definition: (device.osVersion -contains "10.0.1") Observed behavior: Filter evaluation in Intune (as shown in the previously provided screenshot): For the problematic Windows 10 device, in the “Filter Evaluation” section of the “WHfB” policy, the “Windows 10 Device Filter” shows “Evaluation Result: Match” and “Mode: Exclude.” The message states “Policy not delivered.” This confirms that the filter is working correctly in Intune and that the WHfB policy is not applied to the Windows 10 device. Behavior on the Windows 10 device: Despite the exclusion, the user (AdeleV) can still modify and use the WHfB PIN. The “Remove” PIN option is disabled (greyed out) in sign-in options. Windows Event Logs (HelloForBusiness/Operational): The log displays several errors (Event IDs 7054, 8203, 7204) and informational events (8210, 8200, 8202, 5060 “PIN required”). Event 7054 specifically indicates error 0x1 (or 0x80000000000000001), which is a generic error. Troubleshooting steps performed: Forced sync and restarts: executed multiple times on the Windows 10 device. Sync status in Intune for the “WHfB” policy sometimes shows “Unavailable,” but filter evaluation is always “Match/Exclude.” OS version verification: The OS version on the device (10.0.19045.3803) confirms that the string “10.0.1” is contained, so the filter syntax is correct. Policy conflict search: I reviewed the device’s configuration profiles and compliance policies applied via Intune, but didn’t identify any obvious conflicts or other policies that explicitly enable WHfB. Question: Given that my WHfB exclusion filter works correctly, but WHfB is still enabled on the Windows 10 device (and the PIN can’t be removed, with a generic error in the log), what could be the root cause?
Win 10 : VPN disconnecting then redeploying during Intune Sync
We have a IKEv2 user tunnel deployed using an Intune VPN Configuration profile. Every time Intune syncs, The VPN profile gets disconnected. If you obverse Network Connections in Control Panel while Intune Syncs, you can see that the VPN Profile gets removed then re-added in a span of a few seconds. Looking online at similar issues it seems that this used to be an issue on Windows 11 devices but was fixed some time ago. Our fleet is on Windows 10 and I couldn't find any examples of this issue on Win 10 online. is anyone else experiencing this issue? Any fix or workaround?Autopilot OOBE stuck at "Sign in With Microsoft" page after authenticating on company specific page
I'm trying to set up intune for windows autopilot, but having trouble. I have the policies configured for our Hybrid AADJ environment, and when starting OOBE on a computer I do get prompted to log in at a screen showing our company specific info, but once I authenticate there (using either password or phone sign in) it comes up to an unbranded "sign in with microsoft" screen, asking me to sign in to my work or school account. On this screen, I can enter a username, but the Next button doesn't do anything. I'm just stuck on that screen. What could be causing this behavior? The computer is running W10 v1909 pro, if that matters. One of the intune policies assigned to it should upgrade it to Enterprise, but I'm not even getting that far.
Intune enterprise wi-fi profile for windows - clients stuck on pending
Hi everyone, I opened a ticket with Microsoft but maybe someone already encountered this and can help. We deployed a .1x wireless network and until last Thursday it worked perfectly. here is the setup we use: On Thursday I renamed all the profiles associated with the wireless network to reflect for which clients this profile is for and what it does. Apparently this resulted in deleting the wireless profile from the clients... I decided to recreate the policies of the trusted root certificate profile, PKCS certificate profile and the wireless profile but it still didn't work. The picture above is another wireless network I deployed to test whether the problem is with the wireless name but the new profile also didn't deploy. I also deployed a basic network which deployed successfully. Worth noting but maybe unrelated, We blocked the public store and I checked the policy to make sure it was deployed successfully. any ideas? Rahamim.
Windows 365 Administrator built-in role getting 401 unauthorized when enrolling devices
I'm trying to enroll new devices using the get-windowsautopilotinfo script. For this task, I'm trying to use a user assigned with the built-in role "Windows 365 Administrator", which is a new role. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#windows-365-administrator Based on the above article, the role has the "microsoft.directory/devices/create" action, with description "Create devices (enroll in Azure AD)". It even says the role can "Enroll and manage devices in Azure AD, including assigning users and policies". But when I execute get-windowsautopilotinfo -online in Windows 10 OOBE Powershell, and login with the Windows 365 Admin. user, I encounter the following error: add-autopilotimportedevice: system.net.http.httprequestexception: 401 unauthorized Anyone else encounter the same problem? Should I just wait a few months for Microsoft to fix the role? 🙂 I've tried waiting 24 hours after assigning the role, same error. It might be unlikely a delay-related issue, a few seconds after assigning the Intune Admin. role, the script executes flawlessly. I've also tried 2 users, 2 separate devices, same error.
Windows 10 22H2 are not being offered by Intune
Hi everyone, All my devices are the same make/model(Dell Latitude 3520), Windows 10, same device group and Intune MEM/AAD joined. I have set Update Ring to delivery Quality/Feature updates automatically on Intune. Some devices are not being offered the Feature update 22H2 but are receiving the Quality updates normally. If I check updates it says Device updated. This is affecting more than 40 devices. Is anyone have any idea what can be done?
Where to find CIS Benchmarks/Baselines for Windows 10
Hello I am trying to locate CIS benchmarks/compliance baselines specifically targeting Windows 10. This documentation implies that these exist somewhere within the scope of the Azure/Intune/Endpoint/Defender/Security portals: https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines?view=o365-worldwide "Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019" However, I have been unable to locate these. The documentation says: "Go to Vulnerability management > Baselines assessment in the Microsoft 365 Defender portal". However, the menu item "Baselines assessment" does not show at all in my view of that portal using a GA login. I have tried activating a trial which I thought may hold the answer, but this does not appear to have surfaced anything new: https://security.microsoft.com/tvmPremiumTrial180daySolution We're a UK-based CSP customer, if that matters. I would be grateful for any advice as to where we can find these benchmarks and make use of them for our endpoint managed devices. If these benchmarks represent a feature which is yet to be made generally available, any information as to timelines to a release would also be immensely useful. Many thanks in advance, RobertKiosk Mode - Win32 App with no install or AMUID
Hi I'm looking for advise on the best way (if possible) to create Kiosk mode devices, deploying an application which does not have an EXE install or an AMUID. The application is install purely via a Powershell file copy to specific folders. I have tried to use PS2EXE, create an EXE then use MSIX packing tool to see if I could use this method but I get errors around certificates. To be honest I'm not sure this is the best method. I want something simple as the application is likely to be updated frequently for a little while. I'm new to kiosk devices so this is all a learning curve for me so forgive me if I'm missing the obvious. ThanksWindows Hello for Business implementation
Hi, For a couple of days now we've introduced Windows Hello for Business (WHfB) to a subset of test devices from within Intune. Everything works as expected except for one thing I guess: When someone tries to logon with a non-enterprise account (eg. @live.nl) in Teams, and/or Onedrive, the machine is prompting to authenticate with WHfB. Am I missing something? Why is this happening and how can we prevent this? Any thoughts are welcome.The Windows 10 update rings Setting don't work
I have a windows 10 update rings, which is set in the attached picture. But I found there has a problem that the pc will auto-restart after install the office 2016 patches. I want to find a solution that reminds the user before the pc start restart, is there has someone who knows how to resolve this issue? By the way, is windows 10 rings didn't support control office 2016 update programs yet?
