Manage Windows Hello for Business (WHfB) with Intune is very “easy”, you have so many options:
- At device enrollment: Tenant-wide policy
- After device enrollment, at least four methods:
- Endpoint Security > Account protection (Preview)
- Configuration profiles > Identity protection
- Settings catalog
- Custom OMA-URI
So which methods should we use? What if you have different scenarios that have additional requirements?
For example:
- Multiple users use the same device, but only some users should be using WHfB
- Only allow WHfB for some devices
- Different WHfB requirements for users
I hope you can find your answers after reading this post.
At device enrollment – Tenant-wide policy
Tenant-wide policy targets your entire organization and supports Windows Autopilot. This should be the perfect choice if you plan to enable or disable WHfB for your entire organization with the same WHfB configuration. The tenant-wide policy applied at device enrollment, it applied to the device for each user who login.
The tenant-wide policy has three options:
- Enabled. Select this setting if you want to configure Windows Hello for Business settings. When you select Enabled, other settings for Windows Hello are visible and can be configured for devices.
- Disabled. If you don’t want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can’t provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won’t enable Windows Hello for Business.
- Not configured. Select this setting if you don’t want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on 10/11 devices isn’t changed. All other settings on the pane are unavailable.
Which one should you use?
- If you have decided entire organization will use WHfB with the same configuration, choose “Enabled”
- If you have decided the entire organization will NOT use WHfB, choose “Disabled”.
NOTE: When you use the “Disabled”, all other WHfB configurations will still apply, like Minimum PIN length is 4, Maximum PIN length 127, it just won’t allow you to enable Hello. So if you deploy another WHfB policy to devices, and if you configure different requirements example Minimum PIN length is 6, Maximum PIN length is 16, it will cause conflict and you will have unexpected behaviors, sometimes WHfB is unavailable, sometimes works.
- If you have multiple scenarios and usage cases of WHfB, choose “Not configured”
After device enrollment
Let’s assume you have configured tenant-wide policy as “Not configured” because you have multiple scenarios that require different WHfB configurations. As I mentioned before, at least four Intune methods allow you to manage WHfB. In my opinion, Account protection (Preview) and Settings catalog both are good options. Both have nice UI and allow you to configure all the necessary settings.
Account protection (Preview)
You will find Account protection (Preview) under Endpoint security
The policy itself worked as expected. I have tested assigning one policy to a device group and another policy to a user group.
- When policy is assigned to a device group, all users get prompt to configure WHfB at first-time log on to the device
- When policy is assigned to a user group (without policy assigned to the device), the targeted user didn’t get WHfB prompt at first log on, which is expected. After WHfB policy is synced, the targeted user gets WHfB prompt when log on to the device. Untargeted user will never get or allow to configure WHfB, if there is no other WHfB policy assigned to the device.
WHfB configuration worked, but however, reporting is missing some devices when the policy is assigned to users group.
My user account [email protected] is logined to three devices, MVP24-001, MVP24-002 and MVP006, I confirmed WHfB is applied to all these three virtual machines for my user account. But as you can see in the report, it only shows all the devices that have [email protected] as the primary user, but not the other two devices with different primary users or without a primary user.
Settings catalog
Settings catalog allows you to configure WHfB settings for devices or/and users. See details in PassportForWork CSP – Windows Client Management | Microsoft Docs
I configured a few settings with the settings catalog and deployed them to a user group. The result is good. WHfB settings are applied to my targeted user who login to those three virtual machines. I confirmed it from all those three virtual machines.
Let’s take a look at the settings catalog reports.
Device assignment status report. Same issue as Account Protection (preview). It only shows all the devices that have [email protected] as the primary user, but not the other two devices with different primary users or without a primary user.
Per setting status report. This looks better, and it did show three records per setting name.
The device and user check-in status report looks good, it also shows 3 Succeeded, and the real-time report (View report) shows all the devices I was looking for. I am happy with this report.
Summarize
After all these tests, as for this moment, I will use the following:
- Tenant-wide policy set to “Not configured”
- Create a device group to allow WHfB
- Use the settings catalog to deploy the WHfB device configuration to the device group
- Create a user group to allow WHfB (if needed)
- Use settings catalog to deploy WHfB user configuration to the user group (if needed)
Device configuration and deploy to device group will be my first choice because it applies to all users’ devices. Users will be prompted to set up WHfB immediately when they first-time log on to the device, doesn’t need to wait for the user policy to sync and then log on again. But of course, if you have scenarios that require different settings for different users, then you will need to use WHfB user configuration, be patient, allow policy sync, and apply user policy.
Can I use device configuration and deploy to user group?
Answer is YES, matter of facts, some settings are only available in device configuration, as in this doc PassportForWork CSP – Windows Client Management | Microsoft Docs . When you are using device configuration, all users who log on to the device will gets same WHfB settings, but you can use settings catalog “Use Passport For Work (User)” to control only the targeted user will be prompt for set up WHfB.
Hope this post will help your password-less journey.
This is the easiest walkthrough I have seen on the subject, especially being new to Intune/Endpoint Manager.
Previously, we had Windows Hellos set up via GPO, and I am wondering if this could be breaking my Intune profile that I set up. When I check my device in Intune, I do not see this as a profile, even though the profile itself shows my device as ‘Pending’ under the Assignment Status (in Device status).
I’ve checked the Windows Event Logs under Applications and Services -> Microsoft -> DeviceManagement-Enterprise-Diagnostics-Provider->Operational.. I can see my policy for Attack Surface Reduction rules being set fine, but it doesn’t show anything about the WHfB policy, success or failure, which I thought was strange. Is there anywhere else to dig to find why a policy isn’t showing up, or shows up under the device as ‘Not Applicable’. The Not Applicable policies are really unhelpful, as I have no real way to figure out why it is considered not applicable.