With the latest update for Microsoft Intune in August 2018 it is now possible to deploy Windows Hello with a device configuration profile and assign it to a device or user group. This is perfect for pilot deployment of Windows Hello, earlier it was only possible to set Windows Hello as a tenant wide settings, so it was a all or nothing setting unless you did it with a custom profile.

I created this Intune user voice back in march 2017 – the main reason for that user voice was a cloud only solution I had done on a school and when the students was AzureAD joining there devices a two-step verification was presented to the end user and they need to confirm there  identity with a phone call or a text message – this was not a great solution for students from 0 – 5 grade.

Later on I has also found that when a Windows 10 device is hybrid AzureAD joined and Co-managed with SCCM the Windows Hello and the two-step verification will also kicks in – if that is ok in the corporate environment then it is fine, but not we can do a pilot on Windows Hello instead of doing it as a tenant wide setting.

How to set up a pilot with Windows Hello:

We need to start by turning of the tenant wide setting if it is not already done, start Microsoft 365 device admin center – https://devicemanagement.portal.azure.com

1. Click Device enrollment
2. Click Windows Enrollment

1. Click Windows Hello for business
2. Click default

1. Click Settings
2. Configure Windows Hello for Business – Disable (By default it is enabled)

Note: If the settings it enabled on a tenant level it will work with Windows Autopilot – so if you are disabling it on a tenant level you can experience that it is not working as part of the enrollment process for the device.

Now you need to create a new Windows Hello profile so that you can enable Windows Hello for a device or user group.

1. Click Device Configuration
2. Click Profile
3. Click Create profile

1. Enter a name for the profile
2. Select platform : Windows 10 and later
3. Select Profile type : Identity Protection
4. Select Settings
5. Configure Windows Hello for Business: Enable
6. Minimum PIN length:
7. Maximum PIN length:
8. Lowercase letters in PIN: Allowed
9. Uppercase letters in PIN: Allowed
10. Special characters in PIN: Allowed
11. PIN expiration (days): 365
12. Remember PIN history: 3
13. Enable PIN recovery: Enable
14. Use a Trusted Platform Module (TPM): Enable *
15. Allow biometric authentication: Enable
16. Use enhanced anti-spoofing, when available: Enable
17. Certificate for on-premise resources: Enable

The settings is what I normally use – you need to see if that match your corporate security policies and adjust the profile so it match.

Note:if TPM is set to enabled it will require a TPM on the devices

Then you are ready to assign the profile – you can assign the profile to groups of users or devices, and the exclude groups will also work in this scenario,

Note: The new Windows Hello profile will apply to the end users at  the next sync from there Windows device to Intune and not only on login,

Windows Hello User experience:

The end user will be presented for the 3 screen shown below – the end user needs to confirm with a Phone call it a text message and the create a PIN on the device – the PIN will only be on the device and cannot be used on other devices so it is more save then a password,

Read more:

Integrate Windows Hello for Business with Microsoft Intune
How to setup Windows Hello for Business in the new Intune portal