none
Configure Windows Hello for Business to not use certificates? RRS feed

  • Question

  • Hi

    Setup:Windows 10 Ent (1709)
    Microsoft Intune
    Office 365 E3

    Is it possible to configure Windows Hello for Business with Microsoft Intune MDM to not use certificates, but instead use pin/biometrics with username and password?
    Previous in an on-prem Active Directory setup you could configure Windows Hello with convenience PIN sign-in through Group Policy. Is it possible to do the same in an Azure AD only environment with Intune MDM?

    https://support.microsoft.com/en-us/help/3201940/can-t-configure-a-pin-when-convenience-pin-and-hello-for-business-poli
    I know that username and password instead of certificates is not the recommended approach, but Windows Hello for Business with certificates does not work well with Windows 10 (1709) Azure AD Kerberos SSO auth against on-prem Fil Servers \ Printers and on-prem websites.

    If the user logs in with username and password instead of using Pin, it all works well. We want to enable the old “Windows Hello / convenience Pin” setup until we have sorted out the legacy on-prem requirements.

    Based on the documentation; I have tried to set the Windows Hello for Business configuration in Intune to “Not Configured”
    Newly enrolled devices will still require to setup Windows Hello for Business during OOBE.

    Use Windows Hello for Business

     

    Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

    Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

    Disabled: Device does not provision Windows Hello for Business for any user.

     

    Thanks!


    Sunday, December 3, 2017 12:09 PM

All replies

  • Hi,

    It seems that we could configure Windows hello for business with PIN or bio-metric authentication through Microsoft Intune.

    Please see the official article notes:

    Microsoft Intune integrates with Windows Hello for Business (formerly Microsoft Passport for Work), an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual smart card.
    Hello for Business lets you use a user gesture to sign in, instead of a password. A user gesture might be a simple PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader.

    I also found a capture for configuration:

    As we have not the corresponding scenario as your described, so we can't test on our side. I would be very appreciate if you could feedback your test result to us. It might be useful for other customers. 

    The upper information and capture I referred are from the following link.

    Use Windows Hello for Business

    How to setup Windows Hello for Business in the new Intune portal

    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 4, 2017 8:40 AM
    Moderator
  • Hi

    Thanks for the response.

    I'll try to explain it another way; I don't wont to use Windows Hello for Business. I want to use:
    Convenience PIN sign-in

    How can I achieve that with Windows 10 & Azure AD & Intune?

    Update:
    I just had a call with Intune support,Windows Hello configuration in Intune is not working as expected:
     
    Windows Hello for Business is forcefully applying to Windows 10 version -1709 Intune enrolled machines.
    This is known issue for us and is expected to be resolved in next Windows version 1711.

    Version 1711 is under Insider preview.
    We are expecting that Windows 10 1711 would be released somewhere around end of December 17 or early January 18."

    Tuesday, December 5, 2017 12:26 PM
  • Hi Christian, 

    I would apologize for misunderstanding your issue. And thank you for your feedback and update the information.

    It would be useful for other customers who have same requirement with you.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 6, 2017 9:35 AM
    Moderator