Configuring Windows Hello– Planning and Implementing Authentication

05/07/202305/07/2023| Christine AlbertConfiguring Windows Hello– Planning and Implementing Authentication| 0 Comment| 4:05 am
Categories :

WHFB supports cloud-only, hybrid Azure AD, and on-premises deployments. The easiest method to deploy Windows Hello is in a cloud-only model since the Microsoft 365 organization is set up for it automatically. We’ll look at that scenario in this section.
During the out-of-box experience (OOBE), users are prompted for credentials. After providing an Azure AD credential, if the Intune enrollment policy has not been configured to block WHFB, the user will be prompted to enroll with their biometric data (such as a facial scan with a compatible camera) and set a PIN.
Devices will be joined to Azure during the initial sign-in process and WHFB will be enabled.
If your subscription supports it, Microsoft recommends creating a WHFB policy to configure settings for your organization:

  1. Navigate to the Intune admin center (https://intune.microsoft.com or https://endpoint.microsoft.com).
  2. Expand Devices, and under Device enrollment, select Enroll devices.

Figure 7.11 – Enroll devices

  1. Select Windows enrollment and then choose Windows Hello for Business.

Figure 7.12 – Windows Hello for Business

  1. Under Assigned to, select a group (if scoping the enrollment policy to a subset of the user).
  2. Configure the options for WHFB (bold options are the default settings for the enrollment policy):
    • Configure Windows Hello for Business: Enabled, Disabled, Not Configured
    • Use a Trusted Platform Module (TPM): Required, Preferred
    • Minimum PIN length: Configure a numeric value between 4 and 127
    • Maximum PIN length: Configure a numeric value between 4 and 127
    • Lowercase letters in PIN: Not allowed, Allowed, Required
    • Uppercase letters in PIN: Not allowed, Allowed, Required
    • Special characters in PIN: Not allowed, Allowed, Required
    • PIN expiration (days): Never, numeric value between 1 and 730
    • Remember PIN history: Never, numeric value between 1 and 50
    • Allow biometric authentication: Yes, No
    • Use enhanced anti-spoofing, when available: Not configured, Yes, No
    • Allow phone sign-in: Yes, No
    • Use security keys for sign-in: Not configured, Enabled, Disabled
  3. Click Save to update the enrollment policy.
    With the policy configured, new device enrollments (for the configured user group) will receive the WHFB setup prompt to begin enrollment, as shown in Figure 7.13:

Figure 7.13 – WHFB enrollment
After completing enrollment, users will be able to unlock and log in to devices using supported biometrics or their PIN.
Users that are already connected to Azure AD can also trigger the Windows Hello setup wizard by either navigating to the Account protection blade in the Windows settings app or pressing Windows + R and entering ms-cxh://nthaad in the Run dialog box.
Next, we’ll look at configuring Microsoft Authenticator for password-less sign-in.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Understanding roles– Planning and Managing Roles in Microsoft 365

22/10/202122/10/2021 Christine AlbertUnderstanding roles– Planning and Managing Roles in Microsoft 365
In the previous chapter, you became familiar with provisioning and managing identities. In this chapter, [...]
Read MoreRead More

FIDO2 security keys– Planning and Implementing Authentication

01/04/202301/04/2023 Christine AlbertFIDO2 security keys– Planning and Implementing Authentication
Physical tokens, such as the Fast Identity Online 2 (FIDO2)-based token or security key, are [...]
Read MoreRead More

Per-user multi-factor authentication– Planning and Implementing Authentication

14/02/202314/02/2023 Christine AlbertPer-user multi-factor authentication– Planning and Implementing Authentication
If MFA was configured in your tenant before October 2019, it may have been configured [...]
Read MoreRead More