question

andreasbright-4989 avatar image
0 Votes"
andreasbright-4989 asked LuDaiMSFT-0289 commented

Windows Hello for Business

Hi,

We have not configured Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business. This has default settings as shown in the image. We have implemented MS default security baseline, and we have configured Bitlocker policy and we have also enabled MFA. We have also configured compliance policy as show in the image.... so I am wondering how is it that we still get Windows Hello when we enroll machines, have we configured it somewhere.... I am struggeling to see the complete picture.

48410-hello.jpg


48491-hallo2.jpg



Thanks for reply

/R
Andy

mem-intune-generalmem-intune-enrollment
hello.jpg (51.2 KiB)
hallo2.jpg (55.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered NickHogarth-MVP edited

Did you confirm in the security baseline that Block Windows Hello for Business is set to enabled? Do you have a Device Configuration profile that enables Windows Hello for Business? If all those settings do not enable it, you can try change it to Disabled rather than not configured in your screenshot.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 edited

@andreasbright-4989 Thanks for posting in our Q&A. From your description, I know that you get windows hello for business when you don’t configure this setting in intune. If there’s any misunderstanding, feel free to let us know.

For this situation, I have done some research. I find that if the device is only Azure AD joined, it is mostly likely that the device is set to use hello for business automatically. We can read the official article in the following as a reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#how-to-use-windows-hello-for-business-with-azure-active-directory

Based on my test, if we want to disable windows hello for business, we can try the following steps to disable windows for business:

  1. Go to Microsoft Endpoint manager admin center portal, Devices->enroll devices->windows enrollment, Configure the setting “windows hello for business” to “Disabled” and configure the settings like PIN length and etc. We can see more details in the following link:
    https://docs.microsoft.com/en-us/mem/intune/protect/windows-hello#:~:text=You%20can%20integrate%20Windows%20Hello,or%20a%20virtual%20smart%20card


  2. Enrolll the devices , check and find the windows hello for business page will not appear

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

andreasbright-4989 avatar image
0 Votes"
andreasbright-4989 answered LuDaiMSFT-0289 commented

Hi,

Thanks for reply.

I am not sure what you mean by "confirm in the security baseline that Block Windows Hello for Business is set to enabled" I cannot find any settings in the baseline related to Windows Hello for Business.

We do not have any Device Configuration Profiles that enable Windows Hello for Business.


I guess we could try to disable it in the screenshot, but still I would like to see the complete picture. One thing that I was wondering about is may be this is Windows Hello I see and not Windows Hello for Business ? How can I see the difference ?

/R
Andy

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 ·

@andreasbright-4989 Thanks for your update.

For windows hello, what page did you see when you start the device? If the page is same as the following image, it means it is windows hello for business.
49121-image.png

If there is anything unclear, feel free to let us know.

0 Votes 0 ·
image.png (111.4 KiB)
LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 LuDaiMSFT-0289 ·

@andreasbright-4989 I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.


0 Votes 0 ·