windows hello for business

15 Topics

Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue
To clarify my scenario, I'm looking to distribute 100 Laptops to users in a few months. I like Windows Hello for Business's biometrics functionality with TPM chips; I'm sure users would love its ability to unlock a screen in less than a second with a fingerprint. But I have issues with the PIN(s). Here's the use case: a user is sent a Laptop, which is enrolled in Azure through InTune and Autopilot. As part of the initial sign-in procedure the user is prompted to enter a PIN for their Windows account. This can only be numbers. This, I’m told, is unavoidable, if we want to take advantage of the other benefit of Windows Hello, such as the Biometrics (unlocking a PC with a fingerprint). I am aware that this PIN can ONLY be used on this device. Once the user is signed in, the Bitlocker automated encryption process is automatically triggered on their device. The user is then requested to create ANOTHER PIN that will allow the hard drive to be unlocked on startup, which – again – can only be numbers. Similarly, I am aware that this PIN can also only be used on this device. We want Bitlocker configured; I can see hacking attempts once Windows is booted fully becoming more frequent. My problem is that I find it hard to believe with any degree of likelihood that a user is not expected to use the same combination of numbers for both of these PINs and – as a result – this nullifies any two-factor authentication benefits to having a Bitlocker PIN on the device. Worse, it allows people local access to desktop and files just by knowing one PIN, even when booting the machine from cold. This is, if anything, less secure than having a Password on its own to unlock the device – the PIN in either case scenario cannot be set to expire. My question is, are Microsoft looking to remove the requirement for a PIN from Windows Hello for Business at any time in future because – if not – I don’t feel comfortable using it if access to devices can be achieved in such a simple way. I was hoping that being able to accommodate (and, if anything, mandate) non-numerical characters in Bitlocker PINs – as is the case with devices that are registered with a local Domain Controller, but for some reason not in Azure – may help compensate for this, but I am told this is not the case. It's not even possible to block the PIN as an option on first login after a cold boot. Mark
Solved
markrwdn
May 27, 2020 Place Microsoft Intune
15KViews
0likes
2Comments
Azure AD Joined device is not honoring Windows Hello for Business Config Policy from Intune
With the availability of Cloud Kerberos Trust we are now able to deploy WHfB to our Hybrid workforce but we do have a handful of Azure AD Joined devices that we also need to deploy to, all of these devices are enrolled in Intune and our user accounts are all on-prem AD and synced to Azure. When I configured the WHfB policy using the Settings Catalog Configuration Profile and apply it to our test devices, the hybrid one works great - it obtains the settings and I can see the updates to the registry and the Windows UI reflects these settings in the WHfB setup - for example, the PIN Complexity settings were set to minimum 4 and allowed all characters, symbols, etc. However when I applied the same policy to an Azure AD Joined device, the device received the settings, made the registry changes, yet when configuring the PIN, the requirements shown on screen were not what was set in the policy. I tried changing some settings in the policy to see if the updated registry settings would affect the Windows UI but still nothing. Where could this setting be getting overwritten from or, does an AADJ device with an on-prem synced user account need to have the WHfB config set a certain way? We are not making any settings using the other methods of configuring WHfB such as Enrollment, Identity Protection Templace, Account Protection (Endpoint Security) and on-prem Group Policy cannot set WHfB policies on user accounts, only devices so this doesn't apply as it's AADJ. You can see the settings that are applied in the policy and what's reflected in the registry and then what the UI says when setting a PIN.
Marc_Laf
Apr 14, 2023 Place Microsoft Intune
7.1KViews
1like
11Comments
Windows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Hello, I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices. I recently enabled HAADJ in AAD Connect. As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device. The issue I encounter is with the Windows Hello for Business prompt. When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN. You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync. The devices are HAADJ but not enrolled into Intune for MDM. In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured. I also changed this to Disabled, but the users still get the prompt. I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled. It was previously set to Not Configured. This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business, Click here to setup you PIN. I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings. End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business. Any ideas?
Ben Owens
Mar 12, 2020 Place Windows management
5.4KViews
0likes
1Comment
Set User Default Credential Provider for Lock Screen
I'm using Windows 10 Enterprise 22 H2 with Intune and MECM (Co-Managed). We enforce that our users enrol for Windows Hello for business. They can use PIN or Biometric. This all works fine but when the user session locks (idle time etc.) it defaults to username/password credential provider even if the user signed into the desktop console session with a PIN. I'm aware there is a system wide policy to set the default credential provider here https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider but I am wondering if there is a method to do this per user or have the lock screen default to the credential used for the user sigin in?
shocko
Apr 24, 2024 Place Windows 10
4.3KViews
0likes
5Comments
Windows Hello for Business implementation
Hi, For a couple of days now we've introduced Windows Hello for Business (WHfB) to a subset of test devices from within Intune. Everything works as expected except for one thing I guess: When someone tries to logon with a non-enterprise account (eg. @live.nl) in Teams, and/or Onedrive, the machine is prompting to authenticate with WHfB. Am I missing something? Why is this happening and how can we prevent this? Any thoughts are welcome.
Jordi_Koenderink
Mar 18, 2022 Place Microsoft Intune
4.1KViews
0likes
8Comments
Windows Hello for Business: Hybrid Certificate Trust + Modern Management - NDES RA
Contoso wants to implement Windows Hello for Business. Walking through the "Planning a Windows Hello for Business Deployment" process with Contoso resulted in the following deployment parameters: 1. Hybrid - customer has AD and Azure AD (federated environment with ADFS) 2. Certificate Trust - customer already has ADCS PKI and wants to reuse WHFB certificates for other purposes (e.g., AlwaysOn VPN.) 3. All PCs are Hybrid Azure AD Joined (no non-domain-joined PCs; no Azure AD Joined PCs.) 4. Contoso wants to use Modern Management (Intune) policy to manage the WHFB PCs - not Group Policy. Note that Contoso is a federated environment, so they could use group policy and an ADFS RA. But they don't want to (creates another dependency on ADFS, which is undesirable.) Above requirements yield a need for an NDES Registration Authority. The Windows Hello for Business Hybrid Certificate Trust Deployment Guide does not document this scenario with modern management and an NDES RA. It only describes deployment with Group Policy management and an AD FS RA. (link: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) Is it supported to deploy Windows Hello for Business Hybrid Certificate Trust using only modern management and an NDES RA? (Note: I can supply the WHFB planning worksheet for Contoso.)
robmacf
Nov 27, 2019 Place Windows security
1.6KViews
0likes
0Comments
Allow users to choose how they sign in
Hello, I don't find the option "Allow users to choose how they sign in" to allow users to choose between using Windows Hello for Business or a traditional password to log in. Is it no longer supported? Or how can I just enable the Windows Hello for Business and not by force? Thank you in advance.
Logic1545
Apr 19, 2023 Place Microsoft Intune
801Views
0likes
1Comment
WHfB prompting for password at first login
Hi All, I can't seem to get these Intune policies correct for WHfB (Windows Hello for Business) I want WHfB active using a pin for a customer. I have a test VM setup and registered with WHfB correctly. When you first power on the machine and login, there is no prompt for a pin, only the M365 password. Once logged in, I can lock, or log off and I am prompted with the PIN login. I restart the VM and I am pack to having to use a password for the initial login. I have WHfB setup in the following areas Endpoint security | Account protection (Assigned to All devices and All users) Use Windows Hello for Business (Device) - True Use Windows Hello for Business (User) - True (tried without this first) Minimum PIN length - 6 Devices | Enrollment Configure Windows Hello for Business - Enabled TPM - Preferred Minimum PIN length - 6 Allow biometric - Yes Allow phone sign-in - Yes Devices | Configuration (assigned to All users & All devices) Turn on convenience PIN sign-in - Enabled Minimum PIN Length (User) - 6 Use Windows Hello For Business (User) - True Use Remote Passport - Enabled Allow Use of Biometrics - True I know there is quite some double up having this configured at all possible levels. I started with Device enrollment and a configuration profile, and then moved to Account protection. I'm currently going round in circles trying to work out why the initial login isn't prompting for a PIN. (I also built a new VM and it's doing the same thing). Although, first reboot it worked fine from memory. Thanks in advance Guru's
Solved
PaulM1405
Aug 29, 2024 Place Microsoft Intune
699Views
0likes
3Comments
WHFB-Cloud Kerberos Trust Compatible for Server 2012 R2
Hi We have Hybrid AAD join environment and currently have DC : 2012 R2 along with ADC 2019. Currently we have Cloud Kerberos Model and need to configure WHFB via GPO. Does 2012 R2 compatible for that or do we need to upgrade that to Server 2016. Any suggestion or experience? Already go through below Microsoft Ref link, that mentioned that Server 2016 is minimum requirement. However 2012 R2 is production one so don't want to upgrade that. Does Window Hello for Business workable in that scenario https://learn.microsoft.com/en-gb/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune
Saad_Farooq
Nov 07, 2023 Place Windows security
599Views
0likes
0Comments
Surface security: Year in review
Learn how Surface delivers proactive, built-in security to help safeguard your organization’s data, identities and endpoints—now and in the future
ATAucoin
Apr 25, 2025 Place Surface IT Pro Blog
399Views
1like
0Comments