By default it is not configured – so this means that the default behavior on Windows 10 takes effect. When a Windows 10 device is Azure Active Directory joined there will kick in a two-step verificering of the user, that is a part of the Azure Multifactor Authentication (MFA) service that ensures that the users are who the said there are.

This is a nice feature in most scenarios, but in a education environment where students in primary school from the age from 7 – 10, it is not a good idea to use Windows Hello for Business as it requires two-step verification – MFA with a phone or a mail.

In a company, Windows Hello for Business is much more easy to implement and a way to get the users to sign in to Windows 10 in a more secure way. The user dont have to use there company password to sign-in to there Windows 10 devices and getting access to company cloud resources.


In Windows 10 desktop and mobile versions prior to the Anniversary Update, you could set two different PINS that could be used to authenticate to resources:

  • The device PIN could be used to unlock the device and connect to cloud resources.
  • The work PIN was used to access Azure AD resources on user’s personal devices (BYOD).

In the Anniversary Update, these two PINS were merged into one single device PIN. Any Intune configuration policies you set to control the device PIN, and additionally, any Windows Hello for Business policies you configured, now both set this new PIN value. If you have set both policy types to control the PIN, the Windows Hello for Business policy will be applied on both Windows 10 desktop and mobile devices. To ensure policy conflicts are resolved and that the PIN policy is applied correctly, update your Windows Hello for Business Policy to match the settings in your configuration policy, and ask your users to sync their devices in the Company Portal app.

How to setup Windows Hello for Business in the new Intune Portal:

Go into and find the Intune service.

Click on Device enrollment

Intune - Windows Hallo - 01

Click on “Windows Hallo for Business”

Intune - Windows Hallo - 02

Click on the Default policy All users

I have created a Intune User Voice in hope to get the possibility to create more than one Windows Hello for Business – please Vote!!!

Intune - Windows Hallo - 03

In the All Users blade

Click Settings

Intune - Windows Hallo - 04

Then it is possibility to Configure Windows Hello for Business:

The default is : Not Configured

If you select Disable – Then the user will not get prompted for two-step verification when they are AzureAD joining a device.

When selecting Enable – you can configure the settings for Windows Hello for Business

Intune - Windows Hallo - 05

Here are the settings:

Configure Windows Hello for Business:
If disabled, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning may be required. Not configured will honor configuration done on the client.

Use a Trusted Module (TPM):
A Trusted Platform Module (TPM) provides an additional layer of data security. If set to required, only devices with an accessible TPM can provision Windows Hello for Business. If set to preferred, devices attempt to use a TPM, but if not available will provision using software.

Minimum PIN length:
Minimum PIN length must be between 4 and 127

Maximum PIN length:
Maximum PIN length must be between 4 and 127

Lowercase letters in PIN:
If required, user PIN must include 1+ lowercase letters.

Uppercase letters in PIN:
If required, user PIN must include 1+ Uppercase letters.

Special characters in PIN:
If required, user PIN must include 1+ special characters letters.
Special characters include: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

PIN expiration (days):
If configures, the user will be forced to change their PIN after the set number of days. The user can still proactively change there PIN before expiration. The default is 41 days.

Remember PIN history:
If set to remember, the user will not be able to reuse this number of previous PINs.

Allow enhanced anti-spoofing, when available:
If yes, devices will use enchained anti-spoofing, when available (for example, detecting a photograph of a face instead of a real face). If no, anti-spoofing will be blocked. Not configured will honor configuration done on the client.

Allow phone sign-in:
If allowed, users with Azure Active Directory joined desktops may use a portable, registered device as a companion for desktop authentication. The companion device must be configured with a Windows Hello for Business PIN.

Intune - Windows Hallo - 06

Try it out and see what settings are the right for your organization.