User Profile
hannessyZv
Copper Contributor
Joined 2 years ago
User Widgets
Recent Discussions
Re: Is it possible to disable WHFB but allow local Windows Hello?
Just tried enabling convenience PIN through intune and through GPO, both won't work. I guess the WHFB disable by intune has higher priority. EDIT: Just found out that in fact, as soon as WHFB is set to enabled or disabled at some point, that always overwrites convenience PIN. Now I'm trying to narrow the current global scope of WHFB1.1KViews0likes0CommentsIs it possible to disable WHFB but allow local Windows Hello?
We have WHFB enabled through the intune policy for all devices. We're having issues on recently added hybrid-joined devices, they get errors when using Hello Authetification methods because we don't have any certificate infrastructure. I can disable WHFB through a configuration profile for all hybrid joined devices and that works well, but those devices now can't use their fingerprint readers and are forced to use password authentication. Before the hybrid join, they had local Windows Hello authentication methods like fingerprint or face unlock configured and this configuration now seems to be gone and can't be re-enabled. The windows settings say that the organisation has disabled Windows Hello. Is there a way to disable our global WHFB policy for our hybrid-joined devices but allow them to use local/personal windows Hello authentication methods?1.1KViews0likes3CommentsPIN authentication error after hybrid join
I have just rolled out hybrid join to several older devices in my company, which worked pretty well at first and those devices also joined Intune right away. However, for some reason only today, the WHFB policy set in and required every user to set up a PIN. But authentication with the PIN does not work after the users reboot. We either get the errors 0xc00000BB or 0xc000005E. After several hours of googling, a pattern is starting to form that points to certificate errors. We currently don't have any Kerberos-KDC, SCPA, PKCS or PKI set up in our environment and I'm honestly a little overwhelmed by the sheer documentation size revolving around this issue. Does hybrid Azure AD join only work with a sophisticated certificate authentication in place? If so, is there an easy way to implement this?Exclude Intune apps from Conditional access/MFA
We have conditional access in place for all employees and we're about to join several 100 devices into MDM now through hybrid join AAD. While testing, I discovered that MFA prevents enrollment in most real-life situations and I would like to disable MFA for this part. I tried to add Intune and Intune enrollment to the excluded apps in the CA policy, but I can't save it, its giving me a "Invalid session control" error. Session control is set up with "Sign-in frequency" and "Persistent browser session". I don't udnerstand whats invalid about this, can someone explain? Also, how can I fix this? Can I just set up another policy? But if I just copy everything from the first policy, the error will likely just show up again.3.5KViews0likes1CommentAzure AD registered to hybrid joined + Intune MDM enroll
Hi, we're having ~150 devices that are on-premise domain joined and Azure AD registered through the Access work or school option. We would like to lift those devices to a hybrid AAD join and also enroll them in intune. I set up a SCP GPO and the MDM enroll GPO and tested with a few devices. If the device is only domain joined and the computer is not yet synced through Azure Connect: As soon as I put the computer in a AAD-synced OU and deploy the GPOs, everything goes smoothly into hybrid AAD join + compliant Intune MDM enroll. However, if the device is already AD registered, it switches to hybrid join but the MDM enroll does not work. dsregcmd /status shows "WillNotProvision" but with no error message. Event log shows a lot of warnings that Windows Hello for Business could not be started. Also it says Precheck for automatic deploment completed, device is already joined. Is there any other way I can debug this? Is there a way to reset the mdm enroll?1.3KViews0likes0Comments
Groups
Recent Blog Articles
No content to show