Thursday, July 15, 2021

Disable Misleading Windows Hello for Business Enrolment Toast Notification (20H2)

Disable Misleading Windows Hello for Business Enrolment Toast Notification (20H2)

Credit to Arend Dieperink for gathering these details

When Windows 10 20H2 was being deployed to Surface 3 laptop devices, we noticed that they received a Windows Hello toast notification popup after the update applied. When the user clicked on the notification, they were allowed to set-up Windows Hello (believing it was Windows Hello for Business, but it wasn't). It worked for the user, and they could log in with their camera or PIN. However, this couldn't be Windows Hello for Business.



These devices are set up as Hybrid Azure AD Joined/Hybrid AutoPilot and the supporting infrastructure to support WHFB in a Hybrid configuration is not yet in place. Therefore it clearly cannot be WHFB. The Azure AD Sign In logs confirms that's the case, as the sign-in events using Windows Hello actually show as a password sign-in instead of using WFHB.

How to disable?

So how do you stop users enrolling in this version of Windows Hello after the Windows feature update?... 

 In short, there is a registry value that controls whether this prompt shows. The toast notification will pop up 3 times and after that, will no longer appear.
The registry key/value is below. If you set this to 3 ahead of rolling out 20H2 (or maybe above) the prompt for Windows Hello shouldn't show to the user.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon]
"CreateEnrollmentPromptCount"=dword:00000003

How to remove Windows Hello from user's who enrolled


If you have users who have already enabled this flavour of Windows Hello, you can disable it by running the following from their device (needs to be run under the context of the user, as opposed to SYSTEM or an admin account)

certutil -deleteHelloContainer




0 comments:

Post a Comment