This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
We have hybrid active directory configured in our environment and we have started implementing Windows Hello for Business(for that hybrid environment).
Also we started with Intune, autopilot installations and join some devices to Azure AD only.
We do not have enabled WHfB(set to Not Configured) in Intune but during the autopilot process in one step it is required to set up PIN, fingerprint,...
What would happen if we enable this WHfB setting in Intune? Will it be a conflict with the current one in hybrid environment?
Or this configuration in Intune is only related to devices that are in Azure AD and managed by MDM?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Djordje Novakovic , For "not configured" value, it means we don't want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on 10/11 devices isn't changed. If we don't want to enable Windows Hello for Business during device enrollment, we can change the value to disable to see if it is there. Here is a link for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
For the Windows Hello for Business policy under Windows enrollment, It supports the Windows AutoPilot out-of-box-experience (OOBE) and is applied when a device enrolls. It will not affect the device in on premise environment which is not enrolling into Intune.
If this is a Hybrid Azure AD joined device and enroll into Intune and we deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. Here is an article for the reference:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This is a tenant wide setting and supports AAD identity. It will not work for Hybrid joined devices. This will require additional configuration on-premises. However, the important question you should be asking your self is that why bother to continue investing in Hybrid when you can manage just about anything using AAD identity?