MFA mandatory to provision Windows Hello for Business via Intune?

Posted by Shadiux@reddit | sysadmin | View on Reddit | 30 comments

Hi,

were currently planning on rolling out Windows Hello for Business to our employees, to provide some extra security.

Apparently your account has to have some sort mfa activated, to be able to use Windows Hello.

Only around 10% of our workforce has a workphone, so a mobile authenticator is out of the question. I'm aware of the existence of fido2 keys, hardware Tokens, but was curious to see if there any other options for us.

Is there a way to circumvent the mfa requirement for the Windows Hello provision?
What other mfa options do we have?

thanks in advance!

[-]

Pristine_Curve@reddit

Authenticator is not required. Any TOTP app will work for rolling codes. The employees aren't required to load your authenticator app, just to store the key in whatever app they are using for TOTP.

[-]

Creddahornis@reddit

no MFA in 2026 is absolutely wild

[-]

bjc1960@reddit

And probably 70% of SMBs do not have it. I talked to one MSP and asked, "why no MFA?" He said, "client pays us, and client does not want it."

[-]

AppIdentityGuy@reddit

You dony want that client...

[-]

Broad-Celebration-@reddit

We told all of ours to suck it up. It's a requirement for basic security which you pay us for. The fear of the requirement was anyways worse than it actually being enforced.

[-]

beritknight@reddit

What extra security are you expecting to get by enabling Hello when the underlying accounts don't have MFA?

Are you going to be requiring MFA using Hello to access 365 services after this? Or will only password with no MFA be accepted still?

[-]

ExceptionEX@reddit

So you are going to need a secondary factor, and without a mobile device available, you are fairly limited.

Yubi keys, or smart cards are likely you best bet, with TAP for backup.

I haven't tried it, but you may be able to use a one time password for windows hello for business and after that use pin, but even if that works you need to do that for every worker, at every work station that use.

Have you considered that windows hello for business generally results in a sharable pin that doesn't typically require a second factor after set up. This can often lead to front line workers sharing them and defeating the whole point.

[-]

fireinspired2021@reddit

Ive seen the shareable pin happening. In my workplace generally the team leader or section manager has the list of all their staff pin. It does feel like defeat the whole mfa thing. But im not sure other alternative to this.

[-]

ExceptionEX@reddit

We blocked WHfB use web login, (passwordless) and as a backup they can use their password if need be.

No machine specific pins, though I've been reading that you can now by policy require phone based MFA and Pin. as a policy for WHfB

[-]

bjc1960@reddit

I had that issue -I made 5 different Entra groups with different rules and assigned users based on "IT human intel." That solved it.

[-]

aldotheapache1032@reddit

Why not authenticator on personal phone if no work phone is available

[-]

Shadiux@reddit (OP)

Ah forgot to mention, personal phone's are not allowed to use in a company context 🙃

[-]

Patient-Stuff-2155@reddit

so weird to me that you have such phone policy (I assume is for security), but yet no MFA :O

[-]

ExceptionEX@reddit

A lot of industrial and secure facilities don't allow personal phones in the work space(safety, security, productivity, etc), so personal phones can't be used.

[-]

Patient-Stuff-2155@reddit

the weird bit is not already forcing MFA when there are security standards for phones. If personal phones are not allowed in the work space AT ALL, then surely the job should offer everyone a work phone? I kinda assumed that means no work apps are allowed on personal phones, not denying people the usage of personal phones at the workplace completely.

[-]

JwCS8pjrh3QBWfL@reddit

Nah in those spaces it's generally because of distractions, so it's not the "personal vs work" thing, it's the "having a screen at all" thing.

[-]

ExceptionEX@reddit

Bingo, the idea is no phone at work, and there is generally no work communications when not working, if so it's usually via text or phone call.

[-]

dat510geek@reddit

And aged care and hospitals. But company's changed that when they saw the yubi key quote for the 1000s needed

[-]

Ziegelphilie@reddit

Employer can't force employees to use their personal phone for stuff like this. We keep spare yubikeys for these cases.

[-]

UserSPD@reddit

You do not need to force personal phone use. RCdevs could be an option, it can be used with hardware tokens, FIDO2, etc. and makes it possible for users that do not want to authenticate using a phone app.

[-]

teriaavibes@reddit

Apparently your account has to have some sort mfa activated, to be able to use Windows Hello.

Is this a new thing? I don't remember ever doing that.

[-]

IAmMcLovin83@reddit

I’m with you there. Will need to look into this.

[-]

Asleep_Spray274@reddit

Correct, to provision a strong authentication credential, you need to complete a strong authentication.

You can use TAP to provision thr user on the device

[-]

Cormacolinde@reddit

That what I’ve done in a recent project. When issued TAPs and provisioned Hello with that. Worked great.

[-]

Substantial_Crazy499@reddit

TAP to complete enrollment

[-]

Feloxx1@reddit

we add staff to an onboarding group that lets you skip the MFA requirement to sign in to a freshly Intune provisioned laptop. But only while I set them up. Then at first day IT induction they set up MFA on their personal phones, and then we add a Windows hello passkey to their laptops. I tell them the MS authenticator thing is basically for this one off setup. They really hardly ever need to use it after that. 👍🏼

[-]

mr-tap@reddit

The full list of Entra ID MFA options is at Microsoft Entra multifactor authentication overview - Microsoft Entra ID | Microsoft Learn

Microsoft Authenticator
Authenticator Lite (in Outlook)
Windows Hello for Business
Passkey (FIDO2)
Passkey in Microsoft Authenticator
QR code
Certificate-based authentication (when configured for multifactor authentication)
External MFA
Temporary Access Pass (TAP)
OATH hardware token (preview)
OATH software token
SMS
Voice call

(Note that once it is provisioned, then Windows Hello for Business becomes one of the MFA options)

If your employees have work phone numbers, then I suppose 'voice call' might be the least worst?

I didn't know about the 'Authenticator Lite (in Outlook)' previously, but it would also need your staff to use their private phones (but they don't need to install a separate app if they already used Outlook Mobile).

[-]