Configure Windows Hello for Business with Intune: Complete Guide

Mastering Windows Hello for Business in Intune

Moving from passwords to Windows Hello for Business (WHfB) enhances security with device-bound keys and biometrics. This guide dives deep into how WHfB works, why it matters, and how to configure it in Microsoft Intune.

What Is Windows Hello for Business?

Windows Hello for Business replaces traditional passwords with strong, cryptographic gestures. Each gesture uses a key pair tied directly to the device. The private key lives in the Trusted Platform Module (TPM) and never leaves the hardware.

• PIN: A device-specific code that unlocks the private key.
• Fingerprint: A biometric match against a stored template on the device.
• Facial recognition: Infrared camera compares your face to a trusted profile.

Sign-in requires both your enrolled device and your gesture. Even if someone steals your TPM key, they can’t sign in without the PIN or your biometric.

Why Use WHfB?

• Strong, phishing-resistant authentication. No passwords to steal or reuse.
• Hardware-backed security. Private keys never leave the TPM.
• Flexible deployment. Works in cloud-only or hybrid Active Directory setups.
• User convenience. Fast sign-in with a glance, touch, or short PIN.

How WHfB Ties to Intune

Intune offers four ways to roll out and enforce WHfB policies:

1. Enrollment Policy (Tenant-wide)
   Automatically sets up WHfB when Windows devices enroll.
2. Endpoint Security → Account Protection Profiles
   Pushes WHfB rules to devices after enrollment.
3. Settings Catalog
   Lets you tweak every WHfB setting in detail.
4. Security Baselines
   Provides vetted, Microsoft-recommended WHfB configurations.

Preparing for the Exam

You should be able to:

• Describe WHfB’s purpose and cryptographic underpinnings.
• List the Intune methods for configuring WHfB.
• Create and assign WHfB policies in Intune.
• Explain how WHfB links with device enrollment and security profiles.

---

Method 1: Tenant-Wide Enrollment Policy

1. Go to https://intune.microsoft.com and sign in.
2. Select Devices → Windows → Windows enrollment → Windows Hello for Business.
3. Set the state:
   • Enabled: WHfB is provisioned during device enrollment.
   • Disabled: Blocks WHfB setup.
   • Not configured: Leaves WHfB off until you apply a profile.
4. If Enabled, define your PIN complexity, biometric options, and TPM requirements.
5. Click Save.

This ensures every new Windows device gets WHfB as soon as it enrolls.

---

Method 2: Account Protection Profile

1. In Intune, choose Endpoint security → Account protection → + Create policy.
2. Pick Windows 10 and later as the platform.
3. Under Settings, turn on WHfB and set your PIN rules, biometric options, and TPM enforcement.
4. Assign this profile to the user or device groups that need WHfB.
5. Review and click Create.

Use this when you want to add or update WHfB settings on already enrolled devices.

---

Method 3: Settings Catalog

The Settings Catalog gives you granular control over every WHfB registry or CSP setting. Search for “Windows Hello for Business” and pick from dozens of options—like NGC security strength, recovery options, and biometric preferences. After configuring, assign it like any other Settings Catalog profile.

---

Method 4: Security Baselines

Microsoft’s security baselines bundle WHfB settings with other best-practice controls. Navigate to Endpoint security → Security baselines, pick the Windows 10 or 11 baseline, and enable or tweak the WHfB section. This is ideal for getting started quickly with vetted configurations.

---

Testing Your WHfB Deployment

1. Enroll a test device in Intune.
2. Check the policy application by going to Settings → Accounts → Sign-in options. You should see Windows Hello PIN or biometrics ready.
3. Try each gesture (PIN, fingerprint, face) to confirm sign-in works.
4. Simulate failure by removing your fingerprint or face data. Ensure the system falls back to your PIN.
5. Monitor: In Intune’s Device configuration status, verify successful or failed deployments.

---

Troubleshooting Tips

• If biometric options are missing, ensure the device has the right hardware and drivers.
• PIN complexity rules may block setup—adjust them in your policy if users can’t pick a PIN.
• For hybrid Azure AD join, confirm device registration in Azure AD before testing WHfB.
• Use the dsregcmd /status command on Windows to see device join and WHfB status.

---

By following these methods, you’ll deliver a secure, user-friendly sign-in experience across your Windows fleet. Whichever Intune path you choose, Windows Hello for Business keeps passwords out of the equation and your organization safer.