Background
A common practice in many organizations is to disable Windows Hello for Business tenant-wide while allowing it for specific users or devices. This ensures that users won’t be prompted with the mandatory WHfB screen during the device enrollment process, allowing them to configure it when ready.
This kind of setup can be achieved by below two steps:
- Disable WHfB during device enrollment using Windows Enrollment settings by Navigating to Devices > Enroll devices > Windows Enrollment.
- Enable WHfB using Device Configuration Profile > Identity Protection
By following both of these steps, users will have the ability to configure WHfB post-logon. However, users will be prompted to configure WHfB every time they sign out, back in, or restart the device. While they can skip it, the prompt will reappear the next time they attempt to sign in to the device.
This can be unpleasant, and there are situations where you might want to disable it, ensuring users won’t encounter the WHfB screen after login. However, you still want to ensure users can go to the Settings App and configure WHfB when ready.
This blog post will address this issue using Intune Device Remediations. If you don’t meet the License criteria for Device remediations, you can use the provided PowerShell scripts and deploy them using the Devices > Scripts and remediations > Platform scripts method.
Deploying PowerShell scripts using the Platform scripts method has one drawback — it doesn’t provide the same level of reporting you can attain when deploying PowerShell scripts using the Device Remediations method. However, it can still get the job done.
Table of Contents
Step 1 – Download Powershell Scripts
I have created two PowerShell scripts to detect WHfB registry keys and values. Additionally, a remediation script is designed to fix the registry keys and values if they do not match the required values. You can download them using the provided links below:
- Download Detect-WHfB-reg.ps1 script: Detect-WHfB-reg.ps1.
- Download Remediate-WHfB-reg script: Remediate-WHfB-reg.ps1.
Step 2 – Create a Script Package
To create a script package on the Intune admin center, follow the below steps:
- Sign in to the Intune admin center.
- Go to Devices > Scripts and remediations.
- Click on + Create.
Basics Tab
Provide the Name and Description of the package. Keep the rest of the settings as default. For Example:
- Name: Disable Post Logon WHfB mandatory configuration
- Description: Provide any helpful description.
- Publisher: Jatin Makhija (auto-filled)
- Version: Auto-filled
Settings Tab
Browse to Detection and Remediation scripts and configure the settings below.
- Detection script file – Browse to the Detection script Detect-WHfB-reg.ps1.
- Remediation script file – Browse to the Remediation script file Remediate_WHfB-reg.ps1.
- Run this script using the logged-on credentials – No
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Scope tags
Click on Next.
Assignments
Click Add group to include an Entra security group with users or devices. Choose the schedule for running this PowerShell script: Once, Hourly, or Daily.
For testing purposes, opt for an hourly schedule. Once testing proves successful, you can switch to a Daily schedule.
Review + Create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Step 3 – Monitor the Script package
To Monitor the progress of a script package deployed via Intune, follow the below steps:
- Sign in to the Intune admin center.
- Go to Devices > Scripts and remediations
- Click on the Remediation script package you want to monitor.
- Go to the Overview to find the deployment status of the script package.
End-user Experience
After a successful deployment, you’ll observe that registry keys to disable WHfB post-logon provisioning have been created. To confirm this, follow the steps below:
- Press the Windows key + R to open the Run dialog box
- Type regedit and press Enter to open the Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft, and you will find the PassportforWork registry key.
- Within the PasswordforWork registry key, locate two entries named DisablePostLogonProvisioning and Enabled. Ensure that both entries are set to a value of 1.
More Information
Where can you find logs for Intune device remediation scripts?
As shown in Step 3, you can monitor Intune device remediation scripts using the Intune admin center. However, to verify the execution of detection and remediation scripts, you can also review the IntuneManagementExtension.log file.
- Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and open the most recent IntuneManagementExtension.log log file. You can sort the files list using the Date modified column.
- Open the file and search for the Intune device remediation script package. You will find Detection and Remediation scripts with Exit codes which confirm that the scripts are working fine.
Conclusion
This blog post discussed disabling WHfB post-logon provisioning through Intune device remediations. If you don’t have the right license for Intune device remediations, you can use a remediation script and deploy it using the Platform Scripts approach.
An alternative method is to create a PowerShell or batch file and package it into an .intunewin file. Subsequently, you can set up a Win32 app deployment to distribute the .intunewin package to devices managed by Intune.
A simpler way to do this would be to just use a Configuration Profile with Custom CSP:
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram
(https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)
Life saver!
Hello
Iam trying to remove Pincode, Fingerprint and Face-ID from our company PC’s to force employees to use their actual password,
After completing these steps i can see the regedit keys but the pincode / fingerprint is not disabled on my test PC.
are there anything iam missing for it to disable the options for WHfB?
Mikkel Henriksen
Introduction
Windows Hello for Business is a private and secure identity verification method built into Windows 10. However, there may be instances where you need to delete your Windows Hello for Business registration. This article provides a step-by-step guide on how to do this.
Body
Step 1: Open Command Prompt
First, you need to open the Command Prompt as an administrator. To do this:
Press the Windows key + X and select Command Prompt (Admin) from the menu.
Step 2: Delete the WinBioDatabase
The next step is to delete the WinBioDatabase. This can be done by running the following command in the Command Prompt:
del /F /Q C:\Windows\System32\WinBioDatabase\*
This command deletes all files in the WinBioDatabase directory.
Step 3: Delete the Hello Container
Finally, you need to delete the Hello Container using the certutil.exe tool. Run the following command in the Command Prompt:
certutil.exe -DeleteHelloContainer
This command deletes the Hello Container, effectively removing your Windows Hello for Business registration.
🔗 Relevant links
Windows Hello for Business Overview
Certutil tasks for managing a certification authority
Command Prompt: frequently asked questions
if you have other Win-Hello configs set through Intune (such as min. PIN, cloudtrust, no cap/etc), doing it this way bypasses all the configs in Intune. It leaves everything at default.
I found this too. I changed the location to be the location that Intune uses and everything works.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\{TENANT ID}\Device\Policies