Configure Windows Hello for Business
This article describes the options to configure Windows Hello for Business in an organization, and how to implement them.
Configuration options
You can configure Windows Hello for Business by using the following options:
- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with provisioning packages, which are usually used at deployment time or for unmanaged devices. To configure Windows Hello for Business, use the PassportForWork CSP
- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution
Policy precedence
Some of the Windows Hello for Business policies are available for both computer and user configuration. The following list describes the policy precedence for Windows Hello for Business:
- User policies take precedence over computer policies. If a user policy is set, the corresponded computer policy is ignored. If a user policy isn't set, the computer policy is used
- Windows Hello for Business policy settings are enforced using the following hierarchy:
- User - GPO
- Computer - GPO
- User - PassportForWork CSP
- Device - PassportForWork CSP
- Exchange Active Sync - DeviceLock CSP
Important
If you configure password length and complexity settings defined by the DeviceLock CSP, and PIN length and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
The DeviceLock CSP utilizes the Exchange ActiveSync Policy (EAS) engine. For more information, see Exchange ActiveSync Policy Engine Overview.
Note
If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
Retrieve the Microsoft Entra tenant ID
The configuration via CSP or registry of different Windows Hello for Business policy settings require to specify the Microsoft Entra tenant ID where the device is registered.
To look up your Tenant ID, see How to find your Microsoft Entra tenant ID or try the following, ensuring to sign in with your organization's account:
GET https://graph.microsoft.com/v1.0/organization?$select=id
For example, the PassportForWork CSP documentation describes how to configure Windows Hello for Business options using the OMA-URI:
./Device/Vendor/MSFT/PassportForWork/{TenantId}
When configuring devices, replace TenantID with your Microsoft Entra tenant ID. For example, if your Microsoft Entra tenant ID is dcd219dd-bc68-4b9b-bf0b-4a33a796be35, the OMA-URI would be:
./Device/Vendor/MSFT/PassportForWork/{dcd219dd-bc68-4b9b-bf0b-4a33a796be35}
Configure Windows Hello for Business using Microsoft Intune
For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
There are different ways to enable and configure Windows Hello for Business in Intune:
- Using a policy applied at the tenant level. The tenant policy:
- Is only applied at enrollment time, and any changes to its configuration doesn't apply to devices already enrolled in Intune
- It applies to all devices getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
- A device configuration policy that is applied after device enrollment. Any changes to the policy are applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
Verify the tenant-wide policy
To check the Windows Hello for Business policy settings applied at enrollment time:
Sign in to the Microsoft Intune admin center
Select Devices > Windows > Windows Enrollment
Select Windows Hello for Business
Verify the status of Configure Windows Hello for Business and any settings that might be configured
Policy conflicts from multiple policy sources
Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business, as it can lead to unexpected results. If you mix GPO and CSP policy settings, the conflicting CSP settings aren't applied until the group policy settings are cleared.
Important
The MDMWinsOverGP policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the Policy CSP, while the Windows Hello for Business policies are in the PassportForWork CSP.
Note
For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see Windows device settings to enable Windows Hello for Business in Intune and PassportForWork CSP.
Disable Windows Hello for Business enrollment
Windows Hello for Business is enabled by default for devices that are Microsoft Entra joined. If you need to disable the automatic enablement, there are different options, including:
- Disable Windows Hello using the tenant-wide policy
- Disable it using one of the policy types available in Intune, while enabling the Enrollment Status Page (ESP). The ESP can be configured to prevent a user from accessing the desktop until the device receives all the required policies. For more information, see Set up the Enrollment Status Page. The policy setting to configure is Use Windows Hello for Business
- Provision the devices using a provisioning package that disables Windows Hello for Business. For more information, see Provisioning packages for Windows
- Scripted solutions that can modify the registry settings to disable Windows Hello for Business during OS deployment
| Configuration type | Details |
|---|---|
| CSP (user) | Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\PoliciesKey name: UsePassportForWorkType: REG_DWORDValue: 1 to enable0 to disable |
| CSP (device) | Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\PoliciesKey name: UsePassportForWorkType: REG_DWORDValue: 1 to enable0 to disable |
| GPO (user) | Key path: HKEY_USERS\<UserSID>\SOFTWARE\Policies\Microsoft\PassportForWorkKey name: EnabledType: REG_DWORDValue: 1 to enable0 to disable |
| GPO (device) | Key path: KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWorkKey name: EnabledType: REG_DWORDValue: 1 to enable0 to disable |
Note
If there's a conflicting device policy and user policy, the user policy takes precedence. It's not recommended to create Local GPO or registry settings that could conflict with an MDM policy. This conflict could lead to unexpected results.
Next steps
For a list of Windows Hello for Business policy settings, see Windows Hello for Business policy settings.
To learn more about Windows Hello for Business features and how to configure them, see: