Disable WHfB Post Logon Provisioning using Intune

Background

A common practice in many organizations is to disable Windows Hello for Business tenant-wide while allowing it for specific users or devices. This ensures that users won’t be prompted with the mandatory WHfB screen during the device enrollment process, giving them the flexibility to configure it when they are ready.

This kind of setup can be achieved by below two steps:

  1. Disable WHfB during device enrollment using Windows Enrollment settings by Navigating to Devices > Enroll devices > Windows Enrollment
  1. Enable WHfB using Device Configuration Profile > Identity Protection

By following both of these steps, users will have the ability to configure WHfB post-logon. However, users will be prompted to configure WHfB every time they sign out, sign back in, or restart the device. While they have the option to skip it, the prompt will reappear the next time they attempt to sign in to the device.

This can be quite annoying, and there are situations where you might want to disable it, ensuring users won’t encounter the WHfB screen after login. However, you still want to make sure users can go to the Settings App and configure WHfB when they are ready.

In this blog post, we’ll address this issue using Intune Device Remediations. If you don’t meet the License criteria for using Device remediations, you can use the provided PowerShell scripts and deploy them using the Devices > Scripts method.

Deploying PowerShell scripts using the Devices > Scripts method has one drawback — it doesn’t provide the same level of reporting that you can attain when deploying PowerShell scripts using the Device Remediations method. However, it can still get the job done.

Step 1 – Download Powershell Scripts

I have created two PowerShell scripts for the detection of WHfB registry keys and values. Additionally, there is a remediation script designed to fix the registry keys and values if they do not match the required values. You can download them using the provided links below:

Step 2 – Create a Script Package

To create a script package on Intune admin center, follow below steps:

Create a Script Package
Create a Script Package

Basics Tab

Provide the Name and Description of the package. Keep the rest of the settings as default. For Example:

  • Name: Disable Post Logon WHfB mandatory configuration
  • Description: After applying this script package, WHfB post-logon mandatory configuration will be required.
  • Publisher: Jatin Makhija (auto-filled)
  • Version: Auto-filled
Create a Script Package
Create a Script Package

Settings Tab

Browse to Detection and Remediation scripts and configure below settings.

  • Detection script file – Browse to the Detection script Detect-WHfB-reg.ps1.
  • Remediation script file – Browse to the Remediation script file Remediate_WHfB-reg.ps1.
  • Run this script using the logged-on credentials – No
  • Enforce script signature check – No
  • Run script in 64-bit Powershell – Yes
Create a Script Package
Create a Script Package

Scope tags

Click on Next.

Assignments

Click “Add group” to include an Entra ID security group containing users or devices. Once you’ve tested the script package and are ready to deploy it to all devices, you have the option to click on “Add all devices”. Choose the schedule for running this PowerShell script with options for “Once“, “Hourly” or “Daily.”

For testing purposes, opt for an hourly schedule. Once testing proves successful, you can switch to a Daily schedule.

Create a Script Package
Create a Script Package

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

Step 3 – Monitor the Script package

To Monitor the progress of a script package deployed via Intune, follow below steps:

  • Login on Microsoft Intune admin center
  • Go to Devices Remediations
  • Click on the Remediation script package you want to monitor.
  • Go to the Overview to find the deployment status of the script package.
Monitor the Script package
Monitor the Script package

End-user Experience

After a successful deployment, you’ll observe that registry keys to disable WHfB post-logon provisioning have been created. To confirm this, follow the steps below:

  • Press Windows key + R to open the the Run dialog box
  • Type regedit and press Enter to open the Registry Editor.
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft and you will find PassportforWork registry key.
  • Within the PasswordforWork registry key, locate two entries named DisablePostLogonProvisioning and Enabled. Ensure that both entries are set to a value of 1.
End-user Experience
End-user Experience

More Information

Where to find logs for Intune device remediation scripts?

You can monitor Intune device remediation scripts using the Intune admin center, as shown in Step 3. However, if you want to verify the execution of detection and remediation scripts, you can also review the IntuneManagementExtension.log file.

  • Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and open the most recent IntuneManagementExtension.log log file. You can sort the files list using the Date modified column.
  • Open the file and search for the Intune device remediation script package. You will find Detection and Remediation scripts with Exit codes which confirm that the scripts are working fine.

Conclusion

In this blog post, we discussed disabling WHfB post-logon provisioning through Intune device remediations. If you don’t have the right license for Intune device remediations, you can use a remediation script and deploy it using the “Devices > Scripts” approach.

An alternative method is to create a PowerShell or batch file and package it into an .intunewin file. Subsequently, you can set up a Win32 app deployment to distribute the .intunewin package to devices managed by Intune.

Leave a Comment