none
[Case Sharing]Windows Hello for Business device PIN is prompt out when enroll Windows device into Intune via AAD registration. RRS feed

  • General discussion

  • Case Description
    ==================
    Windows Hello for Business configuration set to Not configured in Intune. 


    But when registering device in Intune without AAD join, it will ask the user to setup MFA and WHFB device pin during enrollment.





    Cause  
    ==================
    The default behavior for workplace join is that the user will be prompted to set up a PIN when they add the account. Explicit policy does not need to be set. WHFB is supposed to be upsold by design after MDM enrollment has succeeded in WPJ. And we do not force the user to provision if they cancel out of PIN setup when the account is added. 

    That also explains why PIN setup is not required during workplace join without MDM enrollment.

    In Azure AD Join, we will force the user to provision if the policy is set to "not configured." Every time the user sign's in they will have a full screen experience to provision until they complete successfully. For Workplace Join, we only upsell during registration.


    Resolution
    ==================

    • The prompt can be closed without impacting device registration in Intune and Azure AD.
    • Or the WHFB can be configured to Disabled to remove the prompt, but users will not be able to setup WHFB device pin later.


    Reference
    ==================
    https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide
    https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization


    Hope the above information can be helpful. If you need further assistance on this issue, feel free to post a question via clicking "Ask a question" at the top left of this page, we will try our best to help you!



    Monday, September 30, 2019 5:45 AM
    Moderator