Microsoft Portals
      Back to home
      1. Help Center
      2. Microsoft Portals

      How to Setup Windows Hello for Business (WHfB)

      Overview

      Windows Hello for Business is a settings that, when Enabled, would force users to setup a PIN on their device and would allow the users to sign in to their Windows devices using a PIN code, Biometrics (fingerprint, face), and/or security keys such as YubiKey.

      By default, WHfB is not configured. In its defaults state the setting is not enforced on end user devices, but since the default policy on Windows has WHfB as Enabled, users will receive the prompt to setup WHfB that is not managed by a company policy.

      When enabled, WHfB will force users to setup a PIN code on their device.

      When disabled, WHfB will disable the option for users to setup WHfB (unless already setup prior to disabling the setting).

      Limitations

      Enabling the WHfB setting in Endpoint will force users who have WHfB already enabled on their devices to set a new PIN. Users can use the same PIN to setup WHfB, as long as their PIN matches the minimum requirements set by the organisation in Endpoint.

      Enabling WHfB does not mean the setting would come to know or remember what current users' PINs are. Users will be able to use the same PIN again on the same device.

      Changing any settings on the WHfB after it's already been enabled will reset PIN history and users will again be able to use the same PIN when/if it expires.

      Certain settings on WHfB require a device reboot to take effect:

      • Changing the minimum PIN length.
      • Allowing/Not allowing/requiring lowercase/uppercase or special characters.
      • Allow/disallow Allow biometric authentication.
      • and others...

      If a user has WHfB pin setup on their device prior to disabling the setting in Endpoint, the user will be able to continue to use WHfB on their current device. Users will not be able to setup WHfB on new devices or in the event their current device was reimaged.

      Setup

      To setup WHfB on your Intune tenant, you need to be signed into Intune using an Intune Administrator account.

      1. Navigate to Devices > Enroll devicesWindows Hello for Business.
      2. Next to Configure Windows Hello for Business dropdown select Enabled.
      3. Change the remaining settings in the dropdown to suit your organisation's policy. A working sample of the settings are below.
        Note: Boxes with purple border denote settings that were changed.


      4. Click on Save for changes to apply.

      Note: WHfB applies to All Users in your organisation and cannot be targeted to specific users or devices.
      If you need different PIN policies for different groups of users, then a targeted config profile approach would be required.