question

RamRam-7112 avatar image
0 Votes"
RamRam-7112 asked yannara answered

Disable windows hello for a existing devices but enable with oobe for new users

Disable windows hello for a user group
I do have a question around windows hello for business and autopilot/endpoint manager

1> whfb currently disabled at Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business.

2> There are about 200 devices currently in intune (aad/intune managed). - windows hellow shouldn't be enable

3> new set of devices needs windows hello enable

4> indetity policy define to enable whfb under device configuration and targeted the new group which needs whfb enable

5> the policy dosent always apply as part of oobe (needs atleast one reboot) - mixed results mostly apply after first reboot (not part of oobe)

The best way to apply whfb is to apply at windows enrollment however will it impact the 200 devices which are already in intune. i do not want those devices to be enabled with windows hello (but new devices to get whfb as part of oobe)

based on

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization


Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy.
wonder if I configure as below will it impact the existing devices

1> enable whfb in windows enrolment (tenant settings)

2> disable whfb using the identity policy (device configuration) targetted for the old 200 devices & 200 users

mem-intune-enrollmentmem-autopilot
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RamRam-7112, Based on my test, when I apply a device configuration policy which disable windows hello for business and apply to existing enrolled devices. In my lab, windows hello for business is already configured in device enroll. After the device configuration policy are applied. It shows applied successfully. So I think it will not conflict and can be working.

Hope it can help.

0 Votes 0 ·

@RamRam-7112, Hope things are going well. I am writing to see if there's anything else we can help. If yes, feel free to let us know.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

I blogged about this a while ago although my requirement was the opposite. However you can modify the configuration to suit yours based on the details covered in blog post here. how-to-block-windows-hello-for-business.html


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered

The simpliest way is to use exclude group in whfb config profile. You dont need to enable whfb for autopilot.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.