Windows Hello for Business (WHfB) is a secure authentication method utilizing biometrics (face/fingerprint) or a PIN for user authentication. You may have completely disabled WHfB in your organization but you also want to Delete Windows Hello for Business registration from the device.
A Windows Hello for Business (WHfB) container is a logical grouping that stores the user’s keys, certificates, and credentials managed by Windows Hello.
You can remove the Windows Hello for Business container on a Windows 10 or Windows 11 device using a straightforward command: certutil.exe -deleteHelloContainer which needs to be run under the user context. Simply open a command prompt and execute this command. After that restart your device to complete the change.
Manually deleting the container is feasible when dealing with a few devices. However, for a more efficient approach, especially when dealing with hundreds of devices, an automated solution is necessary.
Today, I’ll be using Intune Device Remediations to delete Windows Hello for Business (WHfB) registration information for the logged-on user. I’ve created two PowerShell scripts. The first one detects if WHfB configuration exists for a user, and if it does, it triggers the remediation script, which executes the certutil.exe command mentioned earlier.
Intune Device Remediations requires users to have one of the following licenses. If you are not meeting the license criteria then you can simply deploy Remediate_WHfB.ps1 script via Intune admin center > Devices > Scripts option. For more information, refer to the blog post: How to deploy a Powershell script using Intune.
Source: Microsoft
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Virtual Desktop Access (VDA) per user
Table of Contents
Step 1 – Download Powershell Scripts
As mentioned earlier, Deleting WHfB registration for a user using Intune Device Remediations requires Detection and Remediation scripts. You can download them using the provided links below.
- Download Detect-WHfB.ps1 script: Detect-WHfB.ps1.
- Download Remediate_WHfB.ps1: Remediate-WHfB.ps1.
Step 2 – Create a Script Package
To create a script package on Intune admin center, follow below steps:
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on + Create script package
Basics Tab
Provide the Name and Description of the package. Keep the rest of the settings as default. For Example:
- Name: Delete WHfB registration
- Description: Provide a useful description
- Publisher: Jatin Makhija (auto-filled)
- Version: Auto-filled
Settings Tab
Browse to Detection and Remediation scripts and configure below settings.
- Detection script file – Browse to the Detection script Detect-WHfB.ps1.
- Remediation script file – Browse to the Remediation script file Remediate_WHfB.ps1.
- Run this script using the logged-on credentials – Yes
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Scope tags
Click on Next.
Assignments
Click “Add group” to include an Entra ID security group with users. Once you’ve tested the script package and are ready to deploy it to all users, you have the option to click on “Add all users” Choose the schedule for running this PowerShell script with options for “Once“, “Hourly” or “Daily.”
For testing purposes, opt for an hourly schedule. Once testing proves successful, you can switch to a Daily schedule.
Review + Create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Step 3 – Monitor the Script package
To Monitor the progress of a script package deployed via Intune, follow below steps:
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on the Remediation script package you want to monitor.
- Go to the Overview to find the deployment status of the script package.
End-user Experience
After deploying this script package to targeted devices, end-users won’t receive any notifications. The script package will run silently in the background, checking if the user has configured Windows Hello for Business (WHfB). If WHfB is configured, the script will proceed to delete the WHfB registration without any user intervention.
More Information
Where to find logs for Intune device remediation scripts?
You can monitor Intune device remediation scripts using the Intune admin center, as shown in Step 3. However, if you want to verify the execution of detection and remediation scripts, you can also review the IntuneManagementExtension.log file.
- Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and open the most recent IntuneManagementExtension.log log file. You can sort the files list using the Date modified column.
- Open the file and search for the Intune device remediation script package. You will find Detection and Remediation scripts with Exit codes which confirm that the scripts are working fine.
