Windows Hello for Business (WHfB)

This is a minimal configuration for enabling WHfB on a device-level.

Go to entra.microsoft.com
Devices > Overview > Device settings
Under Users may join devices to Microsoft Entra, select a group
Add user accounts as members to this group that can Entra-join

---

Go to intune.microsoft.com
Devices > Manage devices > Configuration > Create > New policy
Enter the following properties:
Platform: Windows 10 and later
Profile type: select Settings catalog, give it a name and description
Add settings

Category                    Setting name                            Value
Windows Hello for Business  Use Windows Hello For Business (device) true
Windows Hello for Business  Require Security Device                 true 

Scope tags: leave at default
Assignments: All devices

---

Registration, using an existing Windows 11 Enterprise:
Search > Accounts > search "Access work or school" > Connect
Click "Join this device to Microsoft Entra ID"
Put in the UPN/Email, and login (used msft-auth passkey)
After a succesful registration, switch user
First login is username/password (no MFA)
Provisioning:
After login, prompted with "Use Windows Hello with your account"
MFA with msft-auth passkey
Prompted for PIN, but no gesture (as Windows device has no infrared camera nor fingerprint reader)
Reboot, login with PIN

Running dsregcmd /status, I see these values:

AzureAdJoined    : YES
EnterpriseJoined : NO
DomainJoined     : NO
TpmProtected     : YES
WamDefaultSet    : YES
DeviceAuthStatus : SUCCESS
AzureAdPrt           : YES
AzureAdPrtUpdateTime : 2025-06-05 19:26:30.000 UTC
AzureAdPrtExpiryTime : 2025-06-19 19:26:29.000 UTC

Running klist though, doesn't return anything. This tenant does not have the cloud kerberos configured, would be interesting to see the result of klist with such a setup, it should have a partial TGT, and when a line of sight happens to a DC, get converted to a full TGT.

Things to note, the PRT is valid for 14 days as expected, which renews as long as the device is used within this timeframe. WHfB use the TPM to store both the dk-priv and tk-priv keys. While the dk-pub and tk-pub are sent to Entra ID. WAM is set which means it uses the refresh/access tokens - 90days/1hour lifetime - tis reason why a disabled account can still have access to M365 workloads for 1 hour at most as access token cannot be recalled. I used to be part of the team that managed exited users and I used CAP to take care of that 1-hour access token issue... until I also was let go, lol.

---

Issued dsregcmd /leave, to try another method for device registration.
Go to intune.microsoft.com
Devices > Device onboarding > Enrollment > Windows tab > Enrollment options > Windows Hello for Business
- Configure Windows Hello for Business: Enabled
- Use a Trusted Platform Module (TPM): Required
- Leave rest at default
On the Windows 11 device > Accounts > Access work or school > Export your management logs
Get the file DeviceHash_COMPUTERNAME.csv from C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.zip
Back to Intune
Devices > Overview screen > By platform > select Windows
Device onboarding > Enrollment > Windows Autopilot > Devices
Import in the toolbar > browse to the CSV file > Import
Windows Autopilot devices screen, select Sync in the toolbar
To be continued...