Windows Hello for Business in Hybrid Environment - 'Not Applicable' Error

Question

I am trying to deploy WHfB in a hybrid environment where devices are being managed by both SCCM and Intune.

After I created Identity Protection Configuration on Intune that requires WHfB, I got an error that says "Not Applicable".

Note: Since we have implemented MFA using Conditional Access Policy, we have implemented the requirements for WHfB regarding the WHfB GPO, Auto-MDM enrollment GPO, and Hybrid Azure AD Join.

When I research one of the reasons that this happens is if the device configuration role on SCCM is assigned to Configuration Manager for co-managed devices.

When I check, this is right. The "Device Configuration" is assigned to Configuration Manager on SCCM. To solve this, I tried changing the workload for 'Device Configuration' from Configuration Manager to Intune, but the 'Device Protection' workload also changes at the same time. And I don't want 'Device Protection' workload to change while I try to change the 'device configuration' workload because we manage defender using SCCM.

How can I solve this and implement WHfB successfully?

Answer 1

Hello Wakeyo

Make sure you done these steps:

1. Confirm that the Identity Protection Configuration in Intune is correctly configured to require Windows Hello for Business.
2. Verify that the WHfB GPO and Auto-MDM enrollment GPO have been successfully applied to the devices in your environment.
3. Check the configuration of the Conditional Access Policy for MFA to ensure that it is not conflicting with the WHfB requirements.
4. Make sure that the device configuration role in SCCM is not assigned to Configuration Manager for co-managed devices. If it is, try changing the workload for 'Device Configuration' to Intune. If changing the workload affects other configurations that you do not want to change, you may need to consider adjusting your device management strategy to accommodate both platforms.