diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md index ad9366ba78..4c70d30a01 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md @@ -15,16 +15,32 @@ After the prerequisites are met and the PKI configuration is validated, Windows For Azure AD joined devices and hybrid Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. -Windows Hello for Business can be enabled during device enrollment in Intune, or with a policy: +There are different ways to enable Windows Hello for Business via Intune: -- The device enrollment policy is only applied at enrollment time, and any changes to its configuration won't apply to already enrolled devices -- A device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices +- Using a policy applied at the tenant level. Note that this policy: + - is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - it applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually kept disabled and Windows Hello for Business is enabled using a policy targeted to a security group +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh. There are different policy types to chose from: + - settings catalog + - [security baselines](/mem/intune/protect/security-baselines) + - custom policy, via the PassportForWork CSP + - [account protection policy](/mem/intune/protect/endpoint-security-account-protection-policy) + - identity protection policy template -#### Enable Windows Hello for Business +#### Verify the tenant-wide policy -If you already enabled Windows Hello for Business, you can skip to **configure the policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. +To check the Windows Hello for Business policy applied at enrollment time: -You can also follow these steps to create a device configuration policy instead of using the device enrollment policy: +1. Sign in to the Microsoft Endpoint Manager admin center +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured + +:::image type="content" source="./images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png"::: + +If the tenant-wide policy is enabled, you can skip to [Provision Windows Hello for Business](#provision-windows-hello-for-business). Otherwise, follow the instructions below to create a policy. + +#### Enable Windows Hello for Business with a settings catalog policy 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png b/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png new file mode 100644 index 0000000000..97177965e3 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg deleted file mode 100644 index 0eae3a4546..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md index 756daf10c7..84d5d061fa 100644 --- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/28/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md index a5f284c022..d29011fbe6 100644 --- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/28/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md index d051eb625e..c335058ab5 100644 --- a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/28/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md index 1c41485f11..4724b9d6da 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md index bbdeb4c308..a9b2685f07 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md index 066cedee40..b6ba025722 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md index 43b4857b79..bcd0d47382 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md index 57c03e95a3..955f819fbf 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md index 4691d86bc0..a5b340a3f8 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md index d6ca6e8f5d..81e14489f5 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md index 61346cd80e..302cbee601 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md index a5074f5bd4..b637be9beb 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md index 4c073f0897..40496f1006 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-intro.md b/windows/security/identity-protection/hello-for-business/includes/hello-intro.md index 46d97c93e6..b89d23afb8 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-intro.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-intro.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md index d953bf92d2..82f5f99a23 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md index e502110b5c..d7cd002e30 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md index 562b919f98..ba8b5df65a 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md index b106b5b8c8..06ab63397f 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md index f290b0d975..ef66939cb2 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md index 8c78f79b90..3b89d756cf 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md index cb8e3a05c2..fa465e241c 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md index dbee55d604..3e4bdecccc 100644 --- a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md index cdf7076f1b..c37c3f265e 100644 --- a/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md +++ b/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/28/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md index ca5ca4486a..130dc7519a 100644 --- a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md +++ b/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/28/2022 ms.topic: include ---