Windows Hello for Business

andreas bright 521 Reputation points
2020-12-15T18:12:13.05+00:00

Hi,

We have not configured Devices > Enrollment > Enroll devices > Windows enrollment > Windows Hello for Business. This has default settings as shown in the image. We have implemented MS default security baseline, and we have configured Bitlocker policy and we have also enabled MFA. We have also configured compliance policy as show in the image.... so I am wondering how is it that we still get Windows Hello when we enroll machines, have we configured it somewhere.... I am struggeling to see the complete picture.

48410-hello.jpg

48491-hallo2.jpg

Thanks for reply

/R
Andy

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
911 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,372 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nick Hogarth 3,426 Reputation points MVP
    2020-12-15T20:26:53.11+00:00

    Did you confirm in the security baseline that Block Windows Hello for Business is set to enabled? Do you have a Device Configuration profile that enables Windows Hello for Business? If all those settings do not enable it, you can try change it to Disabled rather than not configured in your screenshot.

  2. Lu Dai-MSFT 22,896 Reputation points Microsoft Vendor
    2020-12-16T05:40:17.11+00:00

    @andreas bright Thanks for posting in our Q&A. From your description, I know that you get windows hello for business when you don’t configure this setting in intune. If there’s any misunderstanding, feel free to let us know.

    For this situation, I have done some research. I find that if the device is only Azure AD joined, it is mostly likely that the device is set to use hello for business automatically. We can read the official article in the following as a reference:
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#how-to-use-windows-hello-for-business-with-azure-active-directory

    Based on my test, if we want to disable windows hello for business, we can try the following steps to disable windows for business:

    1. Go to Microsoft Endpoint manager admin center portal, Devices->enroll devices->windows enrollment, Configure the setting “windows hello for business” to “Disabled” and configure the settings like PIN length and etc. We can see more details in the following link:
      https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello#:~:text=You%20can%20integrate%20Windows%20Hello,or%20a%20virtual%20smart%20card
    2. Enrolll the devices , check and find the windows hello for business page will not appear

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. andreas bright 521 Reputation points
    2020-12-16T05:51:56.06+00:00

    Hi,

    Thanks for reply.

    I am not sure what you mean by "confirm in the security baseline that Block Windows Hello for Business is set to enabled" I cannot find any settings in the baseline related to Windows Hello for Business.

    We do not have any Device Configuration Profiles that enable Windows Hello for Business.

    I guess we could try to disable it in the screenshot, but still I would like to see the complete picture. One thing that I was wondering about is may be this is Windows Hello I see and not Windows Hello for Business ? How can I see the difference ?

    /R
    Andy