question

DjordjeNovakovic-1142 avatar image
0 Votes"
DjordjeNovakovic-1142 asked Crystal-MSFT edited

Windows Hello for Business in Intune

Hello,

We have hybrid active directory configured in our environment and we have started implementing Windows Hello for Business(for that hybrid environment).
Also we started with Intune, autopilot installations and join some devices to Azure AD only.

We do not have enabled WHfB(set to Not Configured) in Intune but during the autopilot process in one step it is required to set up PIN, fingerprint,...
141326-whfb.jpg

What would happen if we enable this WHfB setting in Intune? Will it be a conflict with the current one in hybrid environment?

Or this configuration in Intune is only related to devices that are in Azure AD and managed by MDM?

Thanks!


intune-generalintune-enrollment
whfb.jpg (43.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@DjordjeNovakovic-1142, For "not configured" value, it means we don't want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on 10/11 devices isn't changed. If we don't want to enable Windows Hello for Business during device enrollment, we can change the value to disable to see if it is there. Here is a link for the reference:
https://docs.microsoft.com/en-us/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy

For the Windows Hello for Business policy under Windows enrollment, It supports the Windows AutoPilot out-of-box-experience (OOBE) and is applied when a device enrolls. It will not affect the device in on premise environment which is not enrolling into Intune.

If this is a Hybrid Azure AD joined device and enroll into Intune and we deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. Here is an article for the reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy

Hope it can help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
1 Vote"
RahulJindal-2267 answered

This is a tenant wide setting and supports AAD identity. It will not work for Hybrid joined devices. This will require additional configuration on-premises. However, the important question you should be asking your self is that why bother to continue investing in Hybrid when you can manage just about anything using AAD identity?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.