none
Windows Hello for Business – Questions about initial sign-up and GPO’s RRS feed

  • Question

  • We have just recently begun setting up Windows Hello for Business to require users to sign in to their computers using a PIN and Fingerprint.

    Here are some brief details of our environment:

    1. On-premises non-federated Active Directory domain
    2. Windows Server 2016 and Windows Server 2012 DC’s
    3. Azure Active Directory with Azure AD Connect synchronization and Azure MFA licensing.
    4. Made the required changes/additions as outlined in the Hybrid Azure AD joined Key Trust Deployment guide

    I’ve set up the Windows Hello for Business\Configure Device Unlock Factors GPO to require a Fingerprint as the first factor and a PIN as the second.  When the user initially logs on to the computer with their Domain username and password it prompts them to sign-up with a fingerprint. 

    1. First problem is that there is a ‘Skip for now’ selection in the lower left.  I’ve found no way to remove that.  I don’t want our users to be able to choose this.
    2. We are planning on using USB fingerprint readers on computers.  However, if the user unplugs the fingerprint reader it then lets them complete the sign-in with just a PIN.
    3. It would be nice if after a user completes the initial sign-up, they wouldn’t have the option to select to use their password as a sign-in option anymore.  I’ve tested setting the System\Logon\Exclude credential providers GPO to remove the option, and it works, but if anyone else tried to log in to that computer they wouldn’t be able to at all since they couldn’t put in their password initially.
    I've verified that the device is registered in Azure AD and a deviceKey attribute is added to the AAD user object after creation of the PIN/Fingerprint.  So it seems like everything is set up correctly.  However, I feel like I must be missing something as this feels like a Windows Hello (consumer) experience instead of a Windows Hello for Business experience. Can anyone else who has implemented Windows Hello for Business in a similar way give me some insight?  I would appreciate any help.  Thank you.
    Thursday, August 16, 2018 1:35 AM

Answers

  • Hi,

    According to my know, the skip for now option was written in hard coding, it could not be changed through official measures. 

    About configure Windows Hello for Business in Azure environment, we could refer to "How to use Windows Hello for Business with Azure Active Directory" part the following link:

    Manage Windows Hello for Business in your organization

    Bests,



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by HeyHey173 Friday, August 17, 2018 1:15 PM
    Friday, August 17, 2018 8:54 AM
    Moderator

All replies

  • Hi,

    According to my know, the skip for now option was written in hard coding, it could not be changed through official measures. 

    About configure Windows Hello for Business in Azure environment, we could refer to "How to use Windows Hello for Business with Azure Active Directory" part the following link:

    Manage Windows Hello for Business in your organization

    Bests,



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by HeyHey173 Friday, August 17, 2018 1:15 PM
    Friday, August 17, 2018 8:54 AM
    Moderator
  • I figured as much.  My points numbers 2 and 3 above are solved.  I still had the exclude credential providers Password option GPO set.  Thanks for your help.
    Friday, August 17, 2018 1:15 PM