This document outlines the steps and considerations for managing Windows Hello for Business (WHfB) within your organization using Microsoft Intune. WHfB is a modern, passwordless authentication method that provides strong two-factor authentication for Windows sign-in and access to corporate resources.
1. Prerequisites and Trust Models
Before configuring WHfB in Intune, ensure the following prerequisites are met:
- Entra ID (Azure AD) Environment: Your environment must be either cloud-only (Entra ID joined) or hybrid Entra ID joined.
- Intune License: Users and devices must be licensed for Intune and enrolled.
- TPM: Devices should have a Trusted Platform Module (TPM) 2.0 chip for the best security, although hardware-bound keys can be used without a TPM.
- Infrastructure: The required infrastructure depends on the chosen Trust Model:
| Trust Model | Authentication | Required Infrastructure | Notes |
| Cloud Kerberos Trust | Entra ID, provides SSO to on-premises | Entra ID Connect, Entra ID Kerberos Server | Recommended for hybrid joined environments to minimize on-premises complexity. |
| Key Trust | Entra ID, uses key for on-premises SSO | Adequate Windows Server 2016+ Domain Controllers | Requires careful planning of Domain Controller distribution. |
| Certificate Trust | Entra ID, uses certificate for on-premises SSO | Certification Authority (CA), Certificate Enrollment Policy Web Service (CEP), Certificate Enrollment Web Service (CES) | Most complex setup, typically for organizations with existing PKI requirements. |
2. Intune Configuration Methods
Intune offers two primary methods to configure WHfB settings:
A. Account Protection Policy (Endpoint Security) 🛡️
This is the recommended and most modern approach. It is found under Endpoint Security and consolidates identity-related settings.
- Navigate to the Microsoft Intune admin center.
- Go to Endpoint security $\rightarrow$ Account protection.
- Click Create Policy.
- For Platform, select Windows 10, Windows 11, and Windows Server.
- For Profile, select Account protection.
- Configure the settings under Windows Hello for Business:
- Configure Windows Hello for Business: Set to Enabled.
- Use a Trusted Platform Module (TPM): Set to Required for the highest security.
- Enable Pin Recovery: Set to Yes to allow users to use the PIN Recovery service.
- Minimum PIN Length/Maximum PIN Length: Define complexity requirements (e.g., Minimum: 6).
- Require lowercase letters/uppercase letters/special characters: Configure based on security policy.
- PIN expiration (days): Set how often the PIN must be changed.
- Remember PIN history: Set a number of previous PINs users cannot reuse.
- Allow biometric authentication: Set to Yes to enable face or fingerprint sign-in.
- Use enhanced anti-spoofing: Set to Enabled if devices support it.
- Assign the policy to a targeted group of users or devices.
B. Settings Catalog ⚙️
The Settings Catalog provides granular access to thousands of settings, including all WHfB settings, offering more flexibility but requiring a deeper understanding of the CSPs (Configuration Service Providers).
- Navigate to the Microsoft Intune admin center.
- Go to Devices $\rightarrow$ Configuration profiles.
- Click Create profile.
- For Platform, select Windows 10 and later.
- For Profile type, select Settings catalog.
- In the Configuration settings step, click Add settings.
- Search for “Windows Hello for Business” and select settings from the “Windows Hello for Business” and “PassportForWork” categories. This is where you would configure settings specific to your chosen trust model (e.g., Use Cloud Trust For On-Prem Auth).
- Configure the desired settings (e.g., Use Passport For Work to Enabled).
- Assign the policy to the target group.
3. Tenant-Wide Enrollment Policy (Initial Setup)
For the initial provisioning experience (typically during Autopilot or OOBE), Intune also provides a tenant-wide setting:
- Navigate to the Microsoft Intune admin center.
- Go to Devices> Enrollment>Windows enrollment.
- Select Windows Hello for Business.
- Under Configure Windows Hello for Business, select Enabled to force provisioning during device setup.
- Note: This is an organization-wide setting, so the Account Protection policy is necessary for granular control and specific PIN settings after enrollment.
4. Important Considerations
- Policy Conflicts: Avoid setting WHfB configurations in multiple Intune policy types (e.g., both Account Protection and Settings Catalog) or with conflicting Group Policy Objects (GPOs), as this can lead to unpredictable behavior or failure to provision.
- Targeting: Policies should generally be targeted at users for the provisioning experience, as WHfB is a user-specific credential.
- Monitoring: Regularly monitor the deployment status in Endpoint security $\rightarrow$ Account protection to ensure successful policy application and to identify devices with failures.
