Windows Hello

Question

Hi guy's,
We are in process of testing Endpoint manager and added some laptops to only Azure AD, now when our test users login to these laptop they must configure a Pin for Windows Hello for Business. I did check the Endpoint manager dashboard and this option is set to not configured! if this option for all users is not configured why we must still configure a Pin?
Or should we disable these both options?

Answer 1

@Shahin Mortazave Thanks for posting in our Q&A forum.
Intune integrates with Hello for Business in two ways:

1. As your screenshot shows, an Intune policy can be created under Device enrollment. This policy targets the entire organization (tenant-wide). It supports the Windows AutoPilot out-of-box-experience (OOBE) and is applied when a device enrolls.
2. As RahulJindal has mentioned, an identity protection profile can be created under Device configuration. This profile targets assigned users and devices, and is applied during check-in.

To meet our requirements,
For the option 1, If you don't want to enable Windows Hello for Business during device enrollment, select Disable option.
For option 2, Under Configuration Settings->Account Protection-> Block Windows Hello for Business, select Enabled.
Hope this can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

This should help.how-to-block-windows-hello-for-business.html