Intune: How to Enable Windows Hello for Business?

Standard

The last couple of months it was a bit quiet on my blog. This had to do with some new project assignments and I had some presentations to prepare for WMUG and ExpertsLive. Now those events are done I’ve some time to write blogposts. Last week I was involved in a question to enable Windows Hello for Business for a group of users instead of all users. Within Intune you can configure Windows Hello for Business for all users and to configure it for a group of users an additional policy is needed. In this blogpost I want to explain what is needed to configure this scenario.

First lets start with showing you the standard Windows Hello for Business configuration options within Intune. If you go to https://portal.azure.com  > Intune > Device Enrollment > Windows Enrollment > Windows Hello for Business you can configure the default Windows Hello for Business policy which will be assigned to all users. At this moment the assignment cannot be changed. Below a screenshot of the settings you can configure within this policy:

image

In my case this policy was set to disabled since Windows Hello was not configured in the Active Directory environment. Recently the needed configuration in the AD was done and now we wanted to start testing with a group of users. But lets first start with checking how the disabled policy is applied on the users devices. You can check this by going to the following registry key:

image

and

image

Now we see that Windows Hello for Business is disabled lets configure an custom OMA-URI policy to set the Windows Hello for Business settings. The following settings need to be added to the custom OMA-URI policy:

  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/UsePassportForWork = true (Boolean)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/RequireSecurityDevice = true (Boolean)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/EnablePinRecovery = true (Boolean)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/UseCertificateForOnPremAuth = false (Boolean)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/PINComplexity/MinimumPINLength = 8 (Integer)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/PINComplexity/MaximumPINLength = 16 (Integer)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/PINComplexity/SpecialCharacters = 1 (Integer)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/PINComplexity/Digits = 1 (Integer)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/PINComplexity/History = 5 (Integer)
  • ./Device/Vendor/MSFT/PassportForWork/<AzureAD Tenant ID>/Policies/PINComplexity/Expiration = 90 (Integer)
  • ./Device/Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics = true (Boolean)
  • ./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing = true (Boolean)

When you add the above entries to a custom Windows 10 policy it will look like this:

image

When you assign this policy to a group of users the Windows Hello for Business policy will arrive on the client and applying the above settings. You can also check this in the registry:

image

When the policy is applied and the users restarts his workstation the policy should be enforced and the user should get the Windows Hello for Business enrollment screens:

image

image

image

The conclusion of above blogpost is that with using a custom OMA-URI policy we can configure Windows Hello for Business for a group of users. Thanks to Sandy a colleague MVP to verify above.

3 thoughts on “Intune: How to Enable Windows Hello for Business?

  1. Hi Arjan,

    a while ago I did almost the same for a customer. The customer wanted to block WHfB for all at this phase of the project and disabled the global policy therefore. Then we created the custom OMA-URI’s to configure certain users with WHfB. It seemed to work but we found suddenly flipping setting which resulted into sudden PIN creation dialogs again or it took several hours or days to pop up the Pin creation dialog. We found after troubleshooting that the settings compete each other and where flipping the settings either to disabled or configured. I wanted to make aware of this issue if someone plans to try the same path. Hopefully MS will give us options to control this for user groups in future sometime.
    best,
    Oliver

    • Arjan Vroege

      Hi Oliver,
      I’ve seen these screens during testing but the last week I haven’t seen the screens. I will update the post with some additional test results.
      Regards, Arjan

      • Rkast

        Even with Not Configured I see the PIN on win10 at customers that start to use Intune. Disabling and switch back helps most of the time

Leave a Reply