This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I tried to set WHFB with Settings Catalog, using same options as I did with Identity Protection, but it seems with SC, it works very unreliably. It only enforces WHFB on part devices, not all. Some devices receive it fast, some very late and some not at all. Assignment and status is always green, but WHFB enrollment does not kick on. I assign it to devices because we also have shared computers we don't want it to be in use.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Pavel yannara Mirochnitchenko, Thanks for posting in Q&A.
From your description, I know Windows Hello for Business does not work if set with Settings Catalog using the same options as you did with Identity Protection.
Based on my research, Windows Hello for Business (WHFB) is designed for user-based authentication and requires each user to enroll their credentials, and WHFB enrollment is tied to a single user. So, ensure the user was assigned necessary licenses and has logon in targeted devices and sync with Intune.
Moreover, please go to targeted devices and launch Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs > Microsoft > Windows > User Device Registration > Admin to see if there exist error message.
https://www.manishbangia.com/configure-windows-hello-for-business-using-intune/
Non-official, just for reference.
Please check above information, if there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
When Identity Protection was still supported, I also assigned WHFB policy to Devices and it always worked. This problem started appearing only after WHFB was transfered to Settings Catalog, and now I found out that I can't even create Identity Protection anymore.
If WHFB is designed to be applied to Users only, how we should deal with shared computers where same office workers have a need to sign in to shared computer, also managed by Intune?
@ZhoumingDuan-MSFT thanks in advance for this :)
@Pavel yannara Mirochnitchenko, Thanks for your reply.
Since July 2024, using Identity Protection create WHFB was deprecated and replaced by a new consolidated profile named Account protection. But any instances of the following older profiles that you have created remain available to use and edit:
Identity protection – previously available from Devices > Configuration > Create > New Policy > Windows 10 and later > Templates > Identity Protection
Account protection (Preview) – previously available from Endpoint Security > Account protection > Windows 10 and later > Account protection ( Preview)
That is why you can still use the old WHFB profile created by Identity Protection.
And after my deep research, it does support assigning to device group and shared devices, to clarify the issue, please check if exist the registry key to see if the policy applied.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork”
Non-official, just for reference.
Moreover, ensure the targeted devices OS and edition are in the supported list.
Thanks, I will try Account Protection. This must be something new :)
@Pavel yannara Mirochnitchenko, Thanks for your reply.
Please share with us if there is new process.
@ZhoumingDuan-MSFT first, if you look at Settings Catalog and Account Protection should support User and Device based deployments, option is available for both sides:
But the Event Viewer ID 360 says to me "Windows Hello for Business provisioning will not be launched". Same time, the policy is assigned to device successfully / green status.
Mean while I am testing different models.
Hi, @Pavel yannara Mirochnitchenko
Could you please first check the WHFB policy settings status in Intune portal to see if these settings are all success?
And check if the targeted devices OS and edition are in the supported list.
Then check if the targeted devices have successfully applied WHFB policy.
Non-official, just for reference.
@ZhoumingDuan-MSFT is it possible that after 24H2, WHFB requires TPM 2.0?
Hi, @Pavel yannara Mirochnitchenko
Based on my research, when provisioning Windows Hello, it creates cryptographic key which is saved to Trusted Platform Module (TPM) which is inbuilt to a device. So, it might need TPM to enable WHFB, please turn on TPM to see if we can successfully enable WHFB.
@ZhoumingDuan-MSFT I was refering to differences between TPM 1.2 and 2.0. All these laptops have TPMs but it varies between 1.2 and 2.0.
Hi, @Pavel yannara Mirochnitchenko
Based on my research, I find that TPM 1.2 does not support Device Encryption, so, that might be the reason why some of your devices cannot enable WHFB even if other things are all good.
https://tipsmake.com/what-is-the-difference-between-tpm-12-chip-and-tpm-20-chip
Non-official, just for reference.Also, it is recommended that you contact Microsoft Intune online support or Windows support to get more help.
https://support.microsoft.com/en-us/topic/customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2 ---Windows support
https://learn.microsoft.com/en-us/mem/get-support -Intune online
I have been using old hardware for testing for years with TPM 1.2 and only now I am starting to face this problem. Another variable in this is that now we are using Windows 11 24H2.
Let me share fiew events. In this case, WHFB did apply in TPM 2.0 computer but with delay. Delay does not matter, but I wanted to compare events. So, this are events from WHFB computer:
and later it is fine:
Now let me share events from computer with WHFB never applying.
and
Hi, @Pavel yannara Mirochnitchenko
After my deep research, there is also one way to try to fix the issue, please check Users may join devices to Microsoft Entra was configured All or selected under Microsoft Entra ID portal.
That is of course fine and has been set for a long time ago :)
Hmm.... in one TPM 1.2 computer, WHFB started working after ms update patching. I reviewed the logs and saw, that this value changes to 0x00000000 after patching restart and then WHFB hits on. But this situation takes few days after autopilot.
@Pavel yannara Mirochnitchenko, Thanks for your reply.
We are so glad that the issue was resolved, but it looks like a little strange, due to the limitation of Q&A, it is suggested that you open an online case to get more help.