cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

Kiril
Iron Contributor

‎Nov 22 2022 08:12 AM - edited ‎Nov 22 2022 08:13 AM

‎Nov 22 2022 08:12 AM - edited ‎Nov 22 2022 08:13 AM

How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

I have activated Windows Hello for Business using an Intune configuration profile. Now that it's activated - how can I use it? It does not appear as sign-in method when I'm prompted with sign-in window.

Labels:
3,754 Views
0 Likes
10 Replies
Reply
10 Replies
BilalelHadd

‎Nov 24 2022 02:49 AM

‎Nov 24 2022 02:49 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

Dear @Kiril,

I am missing some context. Did you successfully set up any form of trust (e.g., Cloud, Key, or certificate trust? When stating Windows Hello for Business and Password-less, I assume you already have this setup. Could you confirm?

Also, there is a tenant-wide setting for WhFB. Which one did you configure? You can find the setting under the Intune Portal > Windows Devices > Windows enrollment > Windows Hello for Business. Don't set this feature to Disabled. Even if you would create a Configuration profile, this policy won't enable Windows Hello for Business.
0 Likes
Reply
Kiril

‎Nov 24 2022 04:34 AM

‎Nov 24 2022 04:34 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

Thank you, @BilalelHadd.

 

Yes, we are using cloud only Azure AD. WHfB is enabled on the tenant level and using the Endpoint security "Account protection" policy.

 

0 Likes
Reply
BilalelHadd

‎Nov 24 2022 04:45 AM

‎Nov 24 2022 04:45 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

Welcome! @Kiril

You are missing some critical steps to make use of WhFB. Rather than setting up a complicated PKI infrastructure, I recommend configuring Cloud Trust. Especially when your devices are Azure AD joined only. Many articles and blogs are available on configuring a Windows Hello for Business Cloud Trust. This would also enable you to access network drives and shares with WhFB. I hope this helps!
0 Likes
Reply
Kiril

‎Nov 24 2022 04:53 AM

‎Nov 24 2022 04:53 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

@BilalelHadd Thank you. I did not set up a PKI infrastructure.

 

I followed all the steps described here: Windows Hello for Business Deployment Overview | Microsoft Learn and  Windows Hello for Business Deployment Prerequisite Overview | Microsoft Learn.

 

Which information is missing there? Can you point me to those articles and blogs?

0 Likes
Reply
BilalelHadd

‎Nov 24 2022 04:58 AM

‎Nov 24 2022 04:58 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

Of course. Visit the following link:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybr...

It should point you in the right direction. Following these steps requires no PKI infrastructure.
0 Likes
Reply
Kiril

‎Nov 24 2022 05:33 AM

‎Nov 24 2022 05:33 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

@BilalelHadd

The link you provided is about "Hybrid cloud Kerberos trust deployment". We are not in a hybrid scenario, nor do we have an Active Directory (on-prem). As mentioned before, the right deployment guide is Azure Active Directory join cloud only deployment | Microsoft Learn.

 

"When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed."

 

 

0 Likes
Reply
BilalelHadd

‎Nov 24 2022 06:16 AM

‎Nov 24 2022 06:16 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

You're completely correct regarding the link that I've shared.

Did you also think of the apps and services that need to authenticate (with SSO, e.g.)? Password-less goes further than only logging in with strong authentication.

For accessing legacy apps and services, I would recommend the Hybrid Cloud Trust. If you are sure that all apps and services are SSO compatible, then you should be fine.

Could you share a screenshot with the configuration profile you've created for WhFB?
0 Likes
Reply
Kiril

‎Nov 24 2022 08:25 AM

‎Nov 24 2022 08:25 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

@BilalelHadd , sure:

 

Kiril_0-1669307064618.png

 

What is kind of strange, is that some users in our tenant are missing the Authentication method "Windows Hello for Business" in the User profile in Azure. Is there some way to re-join Azure in order to get the sign-in method?

0 Likes
Reply
BilalelHadd

‎Nov 25 2022 12:40 AM

‎Nov 25 2022 12:40 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

Please make sure that the devices are AAD joined. When they are, ensure that the configuration profile, as shown in the screenshot, is assigned to the devices.
Regarding your question, It won't be registered as an authentication method if they haven't set up Windows Hello for Business.

Small reminder, as stated yesterday, the WhFB trust type only impacts how the device authenticates to on-premises AD. So don't forget to do your research.
0 Likes
Reply
Kiril

‎Nov 25 2022 01:37 AM

‎Nov 25 2022 01:37 AM

Re: How can I use "Windows Hello for Business" as passwordless sign-in on my laptop?

@BilalelHadd

Thank you. I will take a closer look at your recommendation and update the thread.

0 Likes
Reply