With the latest update for Microsoft Intune in August 2018 it is now possible to deploy Windows Hello with a device configuration profile and assign it to a device or user group. This is perfect for pilot deployment of Windows Hello, earlier it was only possible to set Windows Hello as a tenant wide settings, so it was a all or nothing setting unless you did it with a custom profile.

I created this Intune user voice back in march 2017 – the main reason for that user voice was a cloud only solution I had done on a school and when the students was AzureAD joining there devices a two-step verification was presented to the end user and they need to confirm there  identity with a phone call or a text message – this was not a great solution for students from 0 – 5 grade.UserVoice

Later on I has also found that when a Windows 10 device is hybrid AzureAD joined and Co-managed with SCCM the Windows Hello and the two-step verification will also kicks in – if that is ok in the corporate environment then it is fine, but not we can do a pilot on Windows Hello instead of doing it as a tenant wide setting.

How to set up a pilot with Windows Hello:

We need to start by turning of the tenant wide setting if it is not already done, start Microsoft 365 device admin center – https://devicemanagement.portal.azure.com

  1. Click Device enrollment
  2. Click Windows Enrollment

WH4B - 000.png

  1. Click Windows Hello for business
  2. Click default

WH4B - 00

  1. Click Settings
  2. Configure Windows Hello for Business – Disable (By default it is enabled)

Note: If the settings it enabled on a tenant level it will work with Windows Autopilot – so if you are disabling it on a tenant level you can experience that it is not working as part of the enrollment process for the device.

WH4B - 01

Now you need to create a new Windows Hello profile so that you can enable Windows Hello for a device or user group.

  1. Click Device Configuration
  2. Click Profile
  3. Click Create profile

WH4B - Device Configuration 00

  1. Enter a name for the profile
  2. Select platform : Windows 10 and later
  3. Select Profile type : Identity Protection
  4. Select Settings
  5. Configure Windows Hello for Business: Enable
  6. Minimum PIN length:
  7. Maximum PIN length:
  8. Lowercase letters in PIN: Allowed
  9. Uppercase letters in PIN: Allowed
  10. Special characters in PIN: Allowed
  11. PIN expiration (days): 365
  12. Remember PIN history: 3
  13. Enable PIN recovery: Enable
  14. Use a Trusted Platform Module (TPM): Enable *
  15. Allow biometric authentication: Enable
  16. Use enhanced anti-spoofing, when available: Enable
  17. Certificate for on-premise resources: Enable

The settings is what I normally use – you need to see if that match your corporate security policies and adjust the profile so it match.

WH4B - Device Configuration 02

Note:if TPM is set to enabled it will require a TPM on the devices


Then you are ready to assign the profile – you can assign the profile to groups of users or devices, and the exclude groups will also work in this scenario,

WH4B - Device Configuration 03

Note: The new Windows Hello profile will apply to the end users at  the next sync from there Windows device to Intune and not only on login,

Windows Hello User experience:

The end user will be presented for the 3 screen shown below – the end user needs to confirm with a Phone call it a text message and the create a PIN on the device – the PIN will only be on the device and cannot be used on other devices so it is more save then a password,

Read more:

Integrate Windows Hello for Business with Microsoft Intune
How to setup Windows Hello for Business in the new Intune portal