Windows Hello for Business

Hello All

I hope everyone is doing good. Today we are going to cover windows hello for business in Azure AD - Intune

When you have a hybrid environment, on-premise Active Directory and Azure AD, then Cloud Trust is the recommended way by Microsoft to implement Windows hello for business using group polices and certificates . We will try to cover this topic in next blog

Windows Hello for Business – The basis

Windows Hello for Business (WHfB) replaces the need for strong, hard-to-remember passwords, with two-factor authentication on your devices. Authentication is done with either biometrics or PIN and is tied to the device. This means Windows Hello for Business needs to be configured on each device that the user uses.

PIN vs Password

A question often asked is how is PIN more secure than a password. The PIN that you use for Windows Hello for Business can exist only out of numbers and has a default minimum length of 6 characters. So a strong password sounds more secure, right?

The difference between the two is, that the password can be used on any device or even online in the case of Microsoft 365. The PIN however is tied to a specific device, so when somebody else knows your PIN, they still need to have access to your device to be able to login into your account.

Now the problem with PIN alone is that it can easily be stolen by shoulder surfing. When you leave your computer unattended for a moment, somebody could gain access to your device this way. A good way to mitigate this risk is to use Multi-Factor Unlock. This uses trusted signals, for example, the Bluetooth of your mobile phone, to verify that it’s you that is logging in.

Good to know is that simple PIN numbers are not allowed. Windows Hello for Business uses an algorithm to check for a constant delta between one digit to the next. This prevents the use of repeating, sequential and simple patterns. For example, the PIN patterns below are not allowed:

1111
1234
1357
9630
1593

First we will walk through here how you can join a windows 10 device to Azure AD.

In order to be able to join your device to Azure AD, our tenant must have enabled the option Users may join devices to Azure AD in the Azure portal under Azure Active Directory -> Devices -> Device settings as follow.

How To enable the Windows Hello for business for tenant wide

Select Windows Hello for Business

Configure windows Hello for business - Make it Enabled

Set the rest of the settings as per your organisation Need as below

Finally Save it

How To enable the Windows Hello for business for selected group of people using configuration profile

https://endpoint.microsoft.com

Click on Devices | Configuration Profile

Create New Profile

Select the Platform as Windows 10 and Later - Based on your Client connectivity

Profile Type : Identity Management

Click Next

Set your configuration as per your organisation needs in this page

Select the groups on which you want to set the windows Hello for business in the assignments page

apply the rules if needed and again its your organisation requirements

Finally review and create it

Now the users under the specific groups as member can use the windows hello for business features in the tenant

Join a Windows 10 device to Azure AD

To join a windows 10 or 11 device to Azure AD you can click under Settings -> Accounts -> Access work or school on the button below and follow the steps

Give the user UPN

Click Join

Now your machine has joined the Azure Active Directory tenant

Now I can logon to the device by using my Azure AD/Office 365 account.

The user profile for this new user is created on the device

And now as seen at the beginning I will be prompted to set up Windows Hello for Business.

Set your new PIN and confirm

Now the user can login with PIN instead of regular Password Method

How to validate the windows hello for business in In tune portal

Now how can you verify or validate , how many of the end users are using or configured successfully the windows hello for business . Here you go

Go to the intune admin center | Device | Configuration Profile | Select the profile name

Now see the view report, which clearly shows in detailed along with device information's

Now you may check further details by clicking the device Name

Determine if Windows Hello for Business is used for your Windows Sign In

To finally check if Windows Hello for Business is used for the Windows Sign In on a Azure AD joined device, you can check the Sign-in logs from Azure AD as follows. This is kind of troubleshooting

Azure Active Directory -> Sign-in logs -> Application contains Windows Sign in [filter]

Disable Windows Hello for Business by using Microsoft Intune

By default, Windows Hello for business has enabled to the machine which joined to Azure Active Directory Domain. i can say its mandatory and not recommended however there are some situation comes for us to disable this feature

Intune portal

Enabled. Select this setting if you want to configure Windows Hello for Business settings. When you select Enabled, additional settings for Windows Hello are visible and can be configured for devices.

Disabled. If you don’t want to enable Windows Hello for Business during device enrolment, select this option. When disabled, users can’t provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won’t enable Windows Hello for Business.

Not configured. Select this setting if you don’t want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on Windows 10 devices isn’t changed. All other settings on the pane are unavailable.

I Hope you all enjoyed this topic and happy learning 😊

Microsoft 365 & Exchange Admin's Blog -Troubleshooting is an art not a rocket science

Search This Blog