This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello,
It seems very confusing when Microsoft has no clear direction for how to create Windows Hello for Business deployment profile from Intune. Below article describes that Identity protection method for Hello is deprecated.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy
Now as per my understanding there are currently at least 4 methods which i am aware of are available.
Question 1 is, which one is recommended/best?
1- Using System Catalog
2- Using Custom CSP profile
3- Identity Protection
4- Account Protection
5-Global Windows Hello(lets way we disabled it and want to use targeted group of computers, so which of above is clear direction).
**Question 2:**Also, i faced issue when Disabled using Identity Protection for all, then enabled using System Catalog, policy wasn't enabling, any one has any idea on this too?, though enable using Identity Protection Config profile does work but Microsoft is deprecating that method
thanks
Depends on the requirements, but in most cases, it is Account Protection for me. Have a look at this which discusses the various options.
https://rahuljindalmyit.blogspot.com/2021/04/how-to-block-windows-hello-for-business.html
thanks, so there is no clear direction on policies from Microsoft? as one of the policy in Configuration profile is being deprecated too.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@SMF, Thanks for posting in Q&A.
Q1: Based on my research, the recommended method for deploying Windows Hello for Business is using the Account Protection policy. This method is part of the endpoint security policies in Intune and is designed to manage Windows Hello settings effectively.
https://msendpointmgr.com/2022/09/04/manage-windows-hello-for-business-whfb-with-intune/
Non-official, just for reference.
Q2: Since you are using Account Protection to disable WHfB and System Catalog to enable WHfB, the policies created in these two different ways will cause a conflict that will invalidate the WHfB-enabled policy you created using System Catalog, it is recommended that you delete the WHfB policy created using Identity Protection (both the enable and disable policies), and then re-create a new WHfB policy using Account Protection. We recommend that you delete the WHfB policy created using Identity Protection (both enabled and disabled policies) and re-create a new WHfB policy using Account Protection.
Hope this can help you.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your reply, just tried from Account protection, but it seems it doesn't have Allow Biometric authentication and Use security keys for sign-in, so seems like partial settings here?
Also for second question, when enabled using setting catalog, we did create exception in Identity Protection policy of disabling, but it seems with even exception and new policy using Setting Catalog to enable doesn't work.
thanks
This is what happening, when global disable policy in identity protection runs targetting all devices, it creates an entry in registry hklm\software\microsoft\policies\passport for work\tenant\SID(Of the user)\disable.
Having this entry here, if we create a policy using Account Protection or System Catalog doesn't work even when have device exclusion on the Disable policy.
Any export who has deep inside of how registry setting applies in real for Windows hello?
@SMF, Thanks for your reply.
Based on my research, identity protection and account protection were deprecated and replaced by a new consolidated profile named Account protection, since this is a new integration, it's possible that only some of the settings have been added to it and the quirky features haven't been added yet, you can use the Settings Catalog to set up WHfB first and then come back to watch for feature updates or submit feedback to Intune.
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472
As for the second question, please check the following.
1.Check whether the exception is still in Identity Protection policy of disabling and work properly. If the exception did not work, the two policies will cause conflict and WHfB will not work.
2.Check whether the exception devices registry key set to enable in hklm\software\microsoft\policies\passport for work\tenant\SID(Of the user)\disable. Because the resigtry is set to enable by default if there is no policy applied.
3.Check the WHfB profile status created by Settings Catalog in Intune.
4.Check whether you can set up Windows Hello in settings on targeted device. Location: Settings > Account > Sign-in Options.
My observation now is, all of the policies when we create, it configure policy under Tenant\Device in registry, and setting in \SID\ prevails, only way i was able to get around is, use OMA-URI which was applied to device group, but configured both settings(./Device And ./User), otherwise if i configure only one setting of ./Device, it doesn't work.
Any issue configuring both?
thanks
@SMF, Thanks for your reply.
If you create a policy you should just configure either./Device or./User, if you configure both of them, it will cause conflict. When you configure ./Device, it means that every user who sign in the device will apply the policy, but if you configure ./User, it means that when the assigned user login to the device, the user will apply the policy.
Here is what happening.
IF a policy was previously applied to Disable Hello from Identity protection, it creates registry entry under SID\poilcies\usepassportforWork=0 despite the policy was applied to device and not the user
Now,
We needs to protect "protect" device regardless of the user, and if we apply policy to device(with exception in above disable policy), it creates entries under tenant\device\policies\usepassportforwork=1, however, SID\poilcies\usepassportforWork=0 entry(mentioned above) doesn't disappear automatically and Windows hello doesn't kicks in, unless we delete full registry folder from SID\poilcies\usepassportforWork OR we apply policy to a user, if we apply a User policy ./user/vendoer/msft...., then it applies to one user only, if another user logs in to same PC, it gives default policy of Hello.
@SMF, Thanks for your reply.
If you disable Hello from Identity protection with the exception device, could you check whether it creates registry entry under SID\poilcies\usepassportforWork=0? if yes, it means the exception failed, you should delete the disabled Hello policy from Identity protection and create a new policy from settings catalog for device and assign it. Also, if you assign policy to device group, it will take more time to apply than user group.
Or you can just delete the registry folder from SID\poilcies\usepassportforWork and assign a new policy.
Issue will not solve with any deletion, because deletion of policy doesn't delete existing registry entries from workstation.
issue is:
Disable policy=applies to all devices in Identity Protection and new exception created for Device A.
Now
Created
Enable Policy using Setting Catelog/AccountProtectino/OMA-URI: Targeting device and have Device A in it.
As soon as allow policy kicks in, it creates somehow entry in SID with UserPassportForWork=0,rather then under Device in registry because of this, anything under "Device" become secondary, and SID policy prevails.
Question:
1- Is it possible to get around so it doesn't create under SID so device policy prevails?
2- If i delete SID registry entry post above scenario, all things work fine, do you see any impact of manually deleting SID registry key?
3- If i use policy of "User" setting in Hello, then target group should be User or Device? as idea is to apply Hello on any user login to the device
thanks
@SMF, Thanks for your confirmation.
1.Intune is an MDM tool that change the registry value via Windows CSP to configure the settings of Windows, this is by design, so we cannot configure keys except SID.
2.Based on my research, if you delete SID registry entry post above scenario, it means that you delete the policy applied on targeted device and there is no impact for the device.
3.If you use policy of "User" setting in Hello, we should target group to User group, and it will apply Hello on any user login to the device.
For point 3: This is the issue, when i am applying User Policy targeting Users, it applies to first user only, if second user login then it gives "Default" PIN configuration policy and not the policy which was applied to first user.
For point3, this is the problem, when created User Policy and targeted user, it applied on first user, but didn't apply on second or next user, any reason
One thing noted for point 3: User policy for additional user does apply, but take long time, and in this mean time default Hello policy applies because device disable key is disabled already.
@SMF, Thanks for your reply.
If you assign policy to user group, and one user login the device, it will apply the policy, but if another user login the device, it will take some time for the login user to apply the policy, please wait for some time.
Thank you.
Hi, on above comment, need one more clarity, If we talk about Windows hello for "user targeting on a new device", it doesn't ask for Intune configuration profile for Windows Hello when user enroll the device RATHER, a default Windows hello(may be because it is bydefault enabled in Windows 11) kicks in, which actually bring different settings for PIN at the time of first time Windows device enrollment, and when (after may be couple of hours or next day) Config profile targeting User profile kicks in and picks and pushes correct profile, is there any way to address this?
This issue doesn't come when targeting device and it picks correct profile at from 1st time enrollment.
Thanks
MF