This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 32%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Hi,
We have not configured Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business. This has default settings as shown in the image. We have implemented MS default security baseline, and we have configured Bitlocker policy and we have also enabled MFA. We have also configured compliance policy as show in the image.... so I am wondering how is it that we still get Windows Hello when we enroll machines, have we configured it somewhere.... I am struggeling to see the complete picture.
Thanks for reply
/R
Andy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Did you confirm in the security baseline that Block Windows Hello for Business is set to enabled? Do you have a Device Configuration profile that enables Windows Hello for Business? If all those settings do not enable it, you can try change it to Disabled rather than not configured in your screenshot.
@andreas bright Thanks for posting in our Q&A. From your description, I know that you get windows hello for business when you don’t configure this setting in intune. If there’s any misunderstanding, feel free to let us know.
For this situation, I have done some research. I find that if the device is only Azure AD joined, it is mostly likely that the device is set to use hello for business automatically. We can read the official article in the following as a reference:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#how-to-use-windows-hello-for-business-with-azure-active-directory
Based on my test, if we want to disable windows hello for business, we can try the following steps to disable windows for business:
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
Thanks for reply.
I am not sure what you mean by "confirm in the security baseline that Block Windows Hello for Business is set to enabled" I cannot find any settings in the baseline related to Windows Hello for Business.
We do not have any Device Configuration Profiles that enable Windows Hello for Business.
I guess we could try to disable it in the screenshot, but still I would like to see the complete picture. One thing that I was wondering about is may be this is Windows Hello I see and not Windows Hello for Business ? How can I see the difference ?
/R
Andy
@andreas bright Thanks for your update.
For windows hello, what page did you see when you start the device? If the page is same as the following image, it means it is windows hello for business.
If there is anything unclear, feel free to let us know.
@andreas bright I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.