How to disable Windows Hello for Business without impacting current users

Question

By default, WHFB is always enabled via Device Enrollment sub-settings. If I would change this setting below to "Disabled", it will stop from appearing after autopilot. But then existing users who has enabled WHFB by themselves will loose the functionality and cannot sign it. This is a little bit funny / mixed up because even with "Not Configured", the WHFB will apply so only Disable will do the trick. We need to enable WHFB only for specific group users because production computers / user-accounts can't have WHFB.

For references: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy#use-intune-to-disable-windows-hello-for-business-enrollment

Answer 1

@Pavel yannara Mirochnitchenko, Thanks for posting in Q&A.

According to your description, I know that you want to enable WHFB for specific group users.

Based on my researching, there two ways to enable/disable WHFB, one is in enrollment stage, another is after enrollment stage. However, when you enable WHFB in enrollment stage, it can only assign to all users,

 To enable WHFB and assign it to specific users’ group, you can consider create Account protection profile to enable WHFB which will occur after the enrollment. Here are some steps you can refer:

1. Go to Microsoft Intune center > Endpoint security > Account protection > Create policy > Select Platform Windows 10 and later, select Account protection(Preview)
2. Enter the policy name and click next > in the Configuration settings configure Block Windows Hello for Business Disable and other settings > In Assignment page assign it to specific users' group.

Hope this can be helpful.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

• Disable WHfB using Windows Enrollment. - This will disable the WHfB configuration screen During Device Enrollment/Autopilot/OOBE.
• Enable it using a Device Configuration Profile > Identity Protection Template and apply it to specific Users/Devices. This will enable it for specific users/devices.

You can choose to Enable it for specific users/devices using any of the "After Device Enrollment methods" which are given in the Link: After Device Enrollment methods.

For Complete Information/guide, You can refer to: Disable Windows Hello for Business using Intune.

To Disable WHfB Post Logon Provisioning, Refer to Disable WHfB Post Logon Provisioning using Intune.

To Delete WHfB registrations on the Device, refer to Intune: Delete Windows Hello for Business registrations.

Hope this helps.

Answer 3

Actually I was trying to create WHFB using settings catalog with settings below and it has no effect.