Method 1: Setup Windows Hello Using the default setup in Intune named Windows Hello for Business; “All Users and All Devices”
Method 2: Setup Custom Windows Hello Using Configuration Profiles
Managing PIN Reset
Method 1: Setup Windows Hello Using The Default Setup in Intune Named Windows Hello for Business; “All Users and All Devices”
Navigate to Microsoft Intune portal>>>click on Devices>>>Windows>>>Windows Enrollment>>>scroll down and under Enrollment Options, select Windows Hello for Business.
Name [All Users and All Devices (set by default and not changeable)]; Description (This is the default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership).
When Configure Windows Hello for Business is set to Not Configured, only Configure Windows Hello for Business and Use security keys for sign-in are displayed.
Change Configure Windows Hello for Business, from Not Configured to Enabled; this will display all the other configurations options for Windows Hello for Business.
Use a Trusted Platform Module (TPM)(Preferred); Minimum PIN Length (6); Maximum PIN Length (127); Lowercase letters in PIN (Not Allowed); Uppercase Letters in PIN (Not Allowed); Special Characters in PIN(Not Allowed); PIN Expiration Days (120); Remember PIN history (No); Allow Biometric authentication (Enable);Use enhanced anti-spoofing when available (Yes); Allow Phone Sign-in (Yes); Use security keys for sign-in (Not configured); Enable Enhanced sign-in in Security (Not configured)>>>click Save to assign the policy to all Windows computers and users.
Method 2: Setup Custom Windows Hello Using Configuration Profiles
Navigate to Microsoft Intune portal>>>click on Devices>>>Windows>>>Configuration Profiles>>>click Create and select New Policy.
Platform (Windows 10 and later); Profile Type (Templates)>>>search for Identity Protection and click to select it>>>click Create.
Name (Windows Hello Setup for Intune Devices); Description (This will allow the end users to setup and use finger print or facial recognition and PIN as alternatives to password authentication)>>>click Next.
Configure Windows Hello for Business (Enable); this displays the other configurations; Minimum PIN Length (6); Maximum PIN Length (Not configured); Lowercase letters in PIN (Not configured); Uppercase Letters in PIN (Not configured); Special Characters in PIN(Not configured); PIN Expiration Days (120); Remember PIN history (Not configured); Enable PIN Recovery (Enable); Use a Trusted Platform Module (TPM)(Not configured); Allow Biometric authentication (Enable); Use enhanced anti-spoofing when available (Enable); Certificate for on-premise resources (Not configured); Use security keys for sign-in (Not configured)>>>click Next to go to the Assignments tab.
Under the Assignments tab, click Add Groups and add the desired device group to the configuration profile. Now click Next to go to the next screen.
Under the Applicability Rules, click Next.
Under Review and Create, click Create to complete setup of the Windows Hello configuration.
Managing PIN Reset
Once Windows Hello as been setup in Intune, a time will come when users may need to change their PIN when they forget it.
Two Enterprise Application Services should automatically be created in Enterprise Application or App Registry in Entra ID portal when an Entra ID device is registered and these include; Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production.
If the applications have not been created and users have not been granted permissions to them, then when users try to change the PIN it will fail and request them to provide Global administrator credentials to provide consent.
If the applications have not been created, navigate to Microsoft PIN Reset Service Production, log in with your Global Administrator credentials and click on Accept to to grant consent for the application to be created and granted the needed permissions.
If you encounter the AADSTS500113: No reply address is registered for the application. error, that could be misleading; navigate to Enterprise Applications in your Entra ID portal and search for Microsoft PIN Reset Service Production and it should come up.
Navigate to Microsoft PIN Reset Client Production, log in with your Global Administrator credentials and click on Accept to to grant consent for the application to be created and granted the needed permissions.
Once you click Accept, it may take a while for it to complete creating the application and granting the necessary consent. Once it has finished creating the enterprise application, navigate to Enterprise Applications in Entra ID portal and search for Microsoft PIN Reset Client Production and it should come up.
Once the two enterprise applications have been created, make sure to add the desired groups or users in the Users and Groups area for each of the applications.
After these steps have been completed, the users on EntraID joined only or Hybrid joined devices should be able to reset or change their PIN without issues.
You can take it a little further by creating a CSP policy to help recover the PIN in Intune on behalf of the user if they forget their PIN.
Manage Microsoft Smartscreen PIN
Once you setup the environment to allow users the ability to reset their PIN, you may also want to setup PIN recovery, expiry and other parameters for the environment as well.
You can use two methods to achieve this; one is Policy Configuration Service Provider (CSP) and the second is using Account Protection in Endpoint Security.
