question

TheRusseller1-3951 avatar image
0 Votes"
TheRusseller1-3951 asked Jason-MSFT commented

Windows Hello for Business Microsoft Endpoint Configuration manager config

Just wondering what peoples views are on how best to configure windows hello for business settings within the Microsoft Endpoint Manager (Intune).

Are you using the Identity Protection template or have you created a new configuration profile and selected your desired Windows Hello for Business settings - using the configuration profile settings manually seem to enable increased functionality with more options than using the identity protection template.

What are the pros/ cons you have seen and what would be your recommendation ? My chosen approach so far is to use the configuration profile and select the WHfB settings manually.

mem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered

@TheRusseller1-3951 Thanks for posting in our Q&A.
For our question, I have done lots of research. I will provide what I know for your reference.
The issue with the built-in Windows Hello configuration profile is that it affects all users and devices, and that scope cannot be changed, nor can any users or groups be excluded. That is the “not very nice” part of the setup. The benefit of this Custom Configuration profile is that it allows you to add, remove, and change all the available CSP values for Windows Hello, biometrics and PIN in one place, but also gives you full control over who is scoped for the policy.
Hope it can help and thanks for your understanding.




If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TheRusseller1-3951 avatar image
0 Votes"
TheRusseller1-3951 answered Jason-MSFT commented

@JarvisSunMSFT-4279 thanks for your response however my question is not in regards to the tenant wide settings for WHfB.

"Identity Protection template or have you created a new configuration profile and selected your desired Windows Hello for Business settings - using the configuration profile settings manually seem to enable increased functionality with more options than using the identity protection template."

Within MEM you have the option to select the pre defined "Identity Protection" template or you can search for the configuration settings for Windows Hello for Business and manually add the ones in which you require - here is an example of what I am using currently from the settings catalogue;

106136-screenshot-2021-06-16-105131.png


The identity protection default profile;

106175-screenshot-2021-06-16-104910.png





· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TheRusseller1-3951 Thanks for your reply.
Could you please let me know what you have mentioned that "using the configuration profile settings manually" refer to use CSP settings to push the profile?
If so, as far as I know, "using Identity Protection template" also use the CSP to push the settings via Intune. The difference is that one is more intuitive displayed and easy to manage, and the other is more complicated and can achieve more complete functions. You can choose according to your needs.
https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp
.

0 Votes 0 ·

@TheRusseller1-3951 How are things going on? We are waiting to see if our problem is resolved. If there is anything update, please feel free to let us know.

0 Votes 0 ·

@JarvisSunMSFT-4279 Well my original thoughts on using the settings catalogue remain the same - more flexibility and advanced configuration profiles can be created from settings from various categories - the templates seem an easy and simplified way to implement a configuration profile.

Would be really good to know when this will be coming out of Preview - I don't seem to be able to find a release date for this yet, would be a risk to implement settings catalog while in preview.

0 Votes 0 ·
Show more comments