Deployment of Windows Hello for Business through Intune

Tom Wrigglesworth 125 Reputation points
2023-10-25T14:33:53.0766667+00:00

Hello everyone,

My firm is looking deploying WHfB and we have been reading about it and have some questions...

We have a DC 2012 & a DC 2016, running a 2012 schema.

The domain is sync'd with AAD and the devices are within Intune.

This is how we're planning to push it out, through a config profile rather than firm wide.

Do we need to change anything on-prem or in the cloud? The schema is a little old at this point

Do we need to have Cloud Kerberos?

What kind of WHfB does intune push out? Key/Cert When we turned the test users on, we got the error 'Your credentials could not be verified' for both pin & facial. We think we've missed a step but everything online says it's setup correctly.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,406 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
365 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,569 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 44,851 Reputation points Microsoft Vendor
    2023-10-26T02:23:07.68+00:00

    @Tom Wrigglesworth, Thanks for posting in Q&A. To deploy Windows Hello for Business through Intune, you need to configure a Windows Hello for Business policy and deploy it to the devices.

    The Active Directory portion of the planning guide should be complete. Most of the conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide#using-this-guide

    Meanwhile please ensure that your devices meet the minimum client requirements.

    Windows Hello for Business can use either key trust or certificate trust, depending on your deployment's trust type.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-windows-hello-for-business-policy

    If you want to configure Windows Hello for Business settings with PIN, you can configure it via Identity protection policy or Settings catalog policy. Here is a link list the detailed settings for your reference:

    https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.