Windows Hello for Business - Multi-Factor Unlock - Wireless Trusted Signal WPA3
I have been experimenting with WiFi trusted signal for Windows Hello for Business due to an issue that appears to have popped up after changing access point security to WPA3. I cannot seem to get the trusted signal configuration XML to properly validate the wireless trusted signal when WPA3 is the security type (With security being a required property). It works fine on WPA2, but no syntax for WPA3 seems to work. The official KB article from Microsoft about multi-factor unlock/trusted signals only lists the following as options: Open The wireless network is an open network that doesn't require any authentication or encryption. WEP The wireless network is protected using Wired Equivalent Privacy. WPA-Personal The wireless network is protected using Wi-Fi Protected Access. WPA-Enterprise The wireless network is protected using Wi-Fi Protected Access-Enterprise. WPA2-Personal The wireless network is protected using Wi-Fi Protected Access 2, which typically uses a pre-shared key. WPA2-Enterprise The wireless network is protected using Wi-Fi Protected Access 2-Enterprise. Just worried this may just be straight up incompatible. Has anyone had luck using WPA3 for WHfB with wireless as a trusted signal?Azure AD Joined device is not honoring Windows Hello for Business Config Policy from Intune
With the availability of Cloud Kerberos Trust we are now able to deploy WHfB to our Hybrid workforce but we do have a handful of Azure AD Joined devices that we also need to deploy to, all of these devices are enrolled in Intune and our user accounts are all on-prem AD and synced to Azure. When I configured the WHfB policy using the Settings Catalog Configuration Profile and apply it to our test devices, the hybrid one works great - it obtains the settings and I can see the updates to the registry and the Windows UI reflects these settings in the WHfB setup - for example, the PIN Complexity settings were set to minimum 4 and allowed all characters, symbols, etc. However when I applied the same policy to an Azure AD Joined device, the device received the settings, made the registry changes, yet when configuring the PIN, the requirements shown on screen were not what was set in the policy. I tried changing some settings in the policy to see if the updated registry settings would affect the Windows UI but still nothing. Where could this setting be getting overwritten from or, does an AADJ device with an on-prem synced user account need to have the WHfB config set a certain way? We are not making any settings using the other methods of configuring WHfB such as Enrollment, Identity Protection Templace, Account Protection (Endpoint Security) and on-prem Group Policy cannot set WHfB policies on user accounts, only devices so this doesn't apply as it's AADJ. You can see the settings that are applied in the policy and what's reflected in the registry and then what the UI says when setting a PIN.
