cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Hello - Which method is being used?

Ben Owens
Brass Contributor

‎Mar 19 2021 12:47 AM - last edited on ‎Jan 14 2022 04:56 PM by

‎Mar 19 2021 12:47 AM - last edited on ‎Jan 14 2022 04:56 PM by

Windows Hello - Which method is being used?

Could somebody please direct me on how to verify the method of Windows Hello being used?

We have Windows 10 machines enrolled and managed in Intune and hybrid azure ad joined as part of a hybrid identity model with Password Hash Sync configured.

 

I have a portion of Surface devices which have recently received an update from 1909 to 20H2. 


After the update, at the next login, a toast notification is displayed to encourage the use of Windows Hello (see screenshot). Note, we have not enable the settings for Windows Hello for Business yet.

 

The user can setup the camera recognition and PIN and it works and continues to work after several reboots. This is curious, as our work on prerequisites for getting Windows Hello for Business working in the hybrid environment hasn't started yet.

 

The experience for configured Windows Hello appeared to be slightly different to what I had seen before. For example, when controlling elsewhere, I have been used to the initial full blue screen enrolment for WHFB.

 

To remove the Windows Hello functionality for the user, I ran certutil.exe -deleteHelloContainer as the logged in user, this remove the associated biometric and PIN after a logoff/reboot.

 

I enabled WHFB on that same device using local policy editor under the 'User Configuration\Windows Components\Windows Hello for Business\Use Windows Hello for Business' and rebooted. On next login, I get a full blue screen WHFB prompt, which I would normally expect, an MFA prompt from Azure AD and I can then setup camera biometric PIN for log in. 

 

After attempting to lock, logoff or reboot, I cannot login use the camera or PIN as it returns as error saying 'Your credentials could not be verified'. I would expect this error, because the prerequisite work to enable WHFB in a hybrid environment hasn't been done.

So my question is, when user configured the Windows Hello option (advertised in the toast notification after the 20H2 update) how can I check which method of of Windows Hello is being used and how is that functioning.

 

Is this somehow using Windows Hello as opposed to Windows Hello for Business?

 

Preview file
188 KB
5,612 Views
0 Likes
2 Replies
Reply
2 Replies
JHensUSMC

‎Oct 11 2022 11:44 AM

‎Oct 11 2022 11:44 AM

Re: Windows Hello - Which method is being used?

@Ben Owens 

 

I know this is an old post, but wondering if you figured out a solution?  I'm looking to do the same thing - hopefully somehow pull, via Intune, the Hello method users are utilizing to login.

1 Like
Reply
Ben Owens

‎Oct 11 2022 12:14 PM - edited ‎Oct 11 2022 12:15 PM

‎Oct 11 2022 12:14 PM - edited ‎Oct 11 2022 12:15 PM

Re: Windows Hello - Which method is being used?

@JHensUSMC the way I managed this was tweaking the registry so this type of enrolment is never presented to a user. I wrote a blog on the problem and registry tweak.  I hope it helps - https://www.teamas.co.uk/2021/07/disable-misleading-windows-hello-for.html 

0 Likes
Reply