Operationally safe to set tenancy-wide Windows Hello for Business to 'Not configured' ?
Hi Intuners,
Org has the tenancy-wide Windows Hello for Business setting set to Enabled. (Under Device onboarding > Enrollment > Windows > Windows Hello for Business).
There is evidence that when users login to our current laptop fleet, which are Win 10 devices, they are landing on Key Trust rather than Cloud Trust.
We have enrolled some new Windows 11 laptops recently as part of a pilot, and at least one of these has landed on Cloud Trust. So, we know the Cloud Trust prerequisites (we are a hybrid organisation and tenancy) are in place.
My understanding is that to move to Cloud Trust deterministically, we should:
- Set the tenancy-wide setting (mentioned above) to 'Not Configured'
- Create a new policy under Endpoint Security > Account Protection which does not Block Windows Hello for Business and does not Enable Certificate Trust.
My understanding is that whilst this looks like a circular change on the surface, it effectively moves us from a race-condition enrollment ('might get Cloud Trust, might get Key Trust') to a predictable enrollment ('will get Cloud Trust').
My main concern is the first step - setting the tenancy-wide setting to 'Not Configured' - and being confident that this will not cause anything to break for existing users. Does anybody have experience of making this change, in the real world, who can confirm that this is safe to do and will not operationally impact end users?
TIA.
EDIT: found this in the MS Docs, which is encouraging to an extent: "Not Configured. Select this setting if you don't want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on Windows devices don't change. All other settings on the pane are unavailable. "