none
Windows Hello enabling itself? RRS feed

  • Question

  • We've been using Intune to manage a number of Windows 10 v1709 machines.

    As of this morning, users are being prompted to enable Windows Hello; though we've had Windows Hello enrollment disabled by Intune (for months, with no recent changes). Is anyone else seeing this?

    Tuesday, November 14, 2017 4:47 PM

Answers

  • Just  got this random alert in the Office 365 Admin portal:

    As discussed in IT125479, we have detected an issue with Intune’s enrollment workflow and the recently released Windows 10 Fall Creators Update (RS3). We mitigated the incident and any newly enrolled Windows RS3 devices will not receive additional Windows Hello Personal Identification Number (PIN) prompts. Unfortunately, this mitigation cannot retroactively go back and remove the extra prompt from an already enrolled device. Below we provide several mitigation options for the devices that already received the extra prompt.
    How does this affect me?
    Impact is scoped to devices with the following: • Windows 10 Fall Creators Update (RS3) • Windows Hello unintentionally active on a device • MDM-managed and enrolled prior to 11/30/2107
    What action do I need to take to work around this issue?
    If you have users who were prompted to configure a Windows Hello PIN, and you do not want them to have a Windows Hello PIN, you can removed the PIN prompt by following any of the options below: 1) Remove the PIN they have configured using the following PowerShell commands from https://www.powershellgallery.com/packages/Microsoft.WindowsPassportUtilities.Commands/. The three commands must be executed on the client machine in the context of the user who set the PIN. A login script works well for context: Set-ExecutionPolicy RemoteSigned Install-Module -Name Microsoft.WindowsPassportUtilities.Commands Remove-PassportContainer –CurrentUser 2) If your end users have configured Windows Hello fingerprint or face biometrics sign-in, they can only remove the prompt from Windows Settings. Unfortunately, there is no PowerShell automation option. Ask your impacted user(s) to browse to Settings -> Accounts -> Sign In Options and remove the Face or Fingerprint enrollment. 3) If you have a user on RS3 who updated their device and have not logged in since, they may be prompted to set up Windows Hello on their next login. If you want to prevent this from happening, you can do so by deleting the folder %programdata%\Microsoft\DMClient and everything in it. This will prevent the Windows Hello setup prompt from running on the user’s next login.

    Friday, December 1, 2017 5:59 AM

All replies

  • Hello,

    Please sign in to the new Intune portal, and go to Intune -> Device enrollment -> Windows enrollment -> Windows Hello for Business, just choose the Settings for the default policy, and make sure that the option for Configure Windows Hello for Business is "Disabled", NOT set to "Not configured".

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 15, 2017 2:28 AM
  • Hello,

    We are experiencing exactly the same problem, even if Windows Hello for Business is disabled..

    Thursday, November 30, 2017 11:06 AM
  • Just  got this random alert in the Office 365 Admin portal:

    As discussed in IT125479, we have detected an issue with Intune’s enrollment workflow and the recently released Windows 10 Fall Creators Update (RS3). We mitigated the incident and any newly enrolled Windows RS3 devices will not receive additional Windows Hello Personal Identification Number (PIN) prompts. Unfortunately, this mitigation cannot retroactively go back and remove the extra prompt from an already enrolled device. Below we provide several mitigation options for the devices that already received the extra prompt.
    How does this affect me?
    Impact is scoped to devices with the following: • Windows 10 Fall Creators Update (RS3) • Windows Hello unintentionally active on a device • MDM-managed and enrolled prior to 11/30/2107
    What action do I need to take to work around this issue?
    If you have users who were prompted to configure a Windows Hello PIN, and you do not want them to have a Windows Hello PIN, you can removed the PIN prompt by following any of the options below: 1) Remove the PIN they have configured using the following PowerShell commands from https://www.powershellgallery.com/packages/Microsoft.WindowsPassportUtilities.Commands/. The three commands must be executed on the client machine in the context of the user who set the PIN. A login script works well for context: Set-ExecutionPolicy RemoteSigned Install-Module -Name Microsoft.WindowsPassportUtilities.Commands Remove-PassportContainer –CurrentUser 2) If your end users have configured Windows Hello fingerprint or face biometrics sign-in, they can only remove the prompt from Windows Settings. Unfortunately, there is no PowerShell automation option. Ask your impacted user(s) to browse to Settings -> Accounts -> Sign In Options and remove the Face or Fingerprint enrollment. 3) If you have a user on RS3 who updated their device and have not logged in since, they may be prompted to set up Windows Hello on their next login. If you want to prevent this from happening, you can do so by deleting the folder %programdata%\Microsoft\DMClient and everything in it. This will prevent the Windows Hello setup prompt from running on the user’s next login.

    Friday, December 1, 2017 5:59 AM