Windows Hello offers organizations a streamlined approach to authentication within the Windows environment, allowing users to confirm their identity through biometric data or a PIN. This functionality is further enhanced by Windows Hello for Business, which introduces robust security and management features, including device authentication, device configuration, certificate-based authentication, and integration with Conditional Access.
One of the standout attributes of Windows Hello for Business is its recognition as a phish-resistant two-factor authentication method, although this aspect is not universally acknowledged. Its seamless integration within the Microsoft ecosystem provides a single sign-on experience for a wide array of applications, encompassing both cloud-based and on-premises solutions.
Windows Hello for Business as multifactor authentication
According to the National Institute of Standards and Technology (NIST), Windows Hello for Business qualifies as a true multifactor authentication (MFA) technology. This is due to its combination of “something you have”—a device equipped with a hardware Trusted Platform Module (TPM) that securely holds the private key—with “something you know,” such as a PIN, or “something you are,” like a fingerprint. Proper configuration is essential to fully align with this definition, drawing parallels to the use of smart cards.
However, a notable distinction is that the second factor in Windows Hello for Business is not portable. While portability is not a requirement for MFA, organizations may view it as a critical feature of their authentication framework. In cases where portability is a priority, organizations might consider alternative solutions that are not tethered to a specific device, such as smart cards or secondary approval systems like Cisco Duo.
Using Microsoft Intune to disable Windows Hello for Business
For organizations opting not to utilize Windows Hello for Business, it is crucial for IT administrators to disable this service across their endpoints. This can be accomplished by turning off the Windows Hello functionality on organizational devices, thereby preventing users from independently setting up Windows Hello for Business and allowing the implementation of alternative MFA solutions.
Regardless of the rationale for disabling Windows Hello for Business, Microsoft Intune provides two distinct methods to achieve this objective:
Method 1: Disable Windows Hello for Business via enrollment options
- Access the Microsoft Intune admin center portal and navigate to Devices > Windows > Enrollment > Windows Hello for Business.
- On the Windows Hello for Business blade, select Disabled under Configure Windows Hello for Business to disable the feature by default, then click Save.
<figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/disablewindowshello_1-f.jpg”>
Method 2: Disable Windows Hello for Business via an account protection policy
- Open the Microsoft Intune admin center portal and navigate to Endpoint security > Account protection.
- On the Endpoint security | Account protection page, click Create Profile > Windows > Account protection.
- On the Basics page, assign a unique name to the account protection profile for differentiation and click Next.
- On the Configuration settings page, scroll to the Device-scoped settings, select false for the Use Windows Hello for Business (Device) setting, and click Next.
<figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/disablewindowshello_2-f.jpg”>
- On the Scope tags page, configure the relevant scope tags and click Next.
- On the Assignments page, designate the devices that will be assigned this Account Protection profile and click Next.
- On the Review + create page, review the configuration of the Account Protection profile and click Create.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.
