Share via

Devices that were previously disabled for Windows Hello now refuse to see that they're allowed to use it

Vincent L 60 Reputation points
2023-11-14T13:02:14.57+00:00

Hello everyone,

I have devices that were previously configured through a Configuration Profile to not be able to use Windows Hello for Business. I have now added them to a group that is excluded from that Configuration Profile, and that adds them to another Configuration Profiles which enables WHfB.

Except they don't seem to get the information and still see themselves as not being allowed. The Configuration Profiles seem to fight each other, and they're marked as being in Conflict. Finally, devices that were in the excluded group right from the start are perfectly fine using WHfB. So the configuration in itself is validated.

Could you please assist and let me know how to convince those devices that they should use WHfB? :) Many thanks!

Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Other
Accepted answer
  1. Adam Zachary 2,936 Reputation points
    2023-11-15T01:01:52.3533333+00:00

    Hi Vincent,

    I had a similar issue couple of weeks ago. After digging and researching MS documentation here are some key steps you can take in order to resolved the issue:

    Verify the Configuration Profile:

    • Ensure the new configuration profile enabling WHfB is correctly set up in Microsoft Intune. Choose "Enable" under the Windows Hello for Business settings.

    Check Group Assignment:

    • Confirm that the devices are properly assigned to the group with the new policy that enables WHfB.

    Resolve Any Policy Conflicts:

    • In Intune, check for any conflicting policies that might be overriding the new settings. Adjust priorities or remove conflicting settings as needed.

    Force Policy Update on Devices:

    • On the affected devices, manually sync them with Intune to ensure they receive the updated policy. This can be done through the device settings or by restarting the devices.

    Monitor and Verify:

    • After the policy refresh, monitor the devices to confirm that the WHfB settings are applied correctly.

    If the issue persists, consult the Intune documentation for more in-depth troubleshooting steps or consider reaching out to Microsoft support for further assistance.

    Hope this answer can help you with your issue.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
    2023-11-15T02:01:15.8666667+00:00

    @Vincent L,Thanks for posting in Q&A.

    From your description, I know that you want to why the excluded group in Configuration Profile that disable WHFB finally work in another Configuration Profile that enable WHFB.

    Based on my research, I found that when you exclude groups from an assignment, you must exclude only user or only device groups, not a mixture of groups. And you should verify the new configuration profile is configured correctly. Moreover, this may need some time to sync with the targeted device.

    Hope this can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.