Security officers were dancing on the table. Recently I enabled Windows Hello for Business (WHfB) for a client. Their environment had thousands of Intune devices, and all are Azure AD Joined. Due to the impact it would have on the service desk (we would expect a few calls 😉 ), the company didn’t want to force Hello for Business. Enabling Hello for Business without any research or consideration can really ruin your sysadmin day. It would force every user to a mandatory Hello for Business wizard. And it’s almost impossible to start your work day without configuring it
Instead of this black scenario on a Monday morning, I decided to make use of the DisablePostLogonProvisioning registry key to make Hello for Business optional. Users had to consciously go to Settings -> Sign in Options to configure a PIN, fingerprint or facial recognition.
A disadvantage of this approach is the uncertainty about how many people have actually configured Hello for Business. Yes, Hello for Business is a safer login method, eliminating the need to enter a password. But if you offer it as optional (not mandatory), then how do you find out how much safer your users and company are?
Table of Contents
Track Windows Hello for Business Registration
Registration and reset events
To gain insight into how many users have configured Windows Hello for Business, we should use the Microsoft Entra ID portal (formerly known as Azure Active Directory). For these steps, you need to have at least one of the following roles assigned:
- Reports Reader
- Security Reader
- Global Reader
- Application Administrator
- Cloud Application Administrator
- Security Operator
- Security Administrator
- Global Administrator
To gain information about Hello for Business registration and usage, do the following:
- Navigate to portal.azure.com
- Click on Microsoft Entra ID.
- In the left bar, click Security
- In the left bar, click Authentication Methods
- In the left bar, click Registration and reset events. This page shows you all types of authentication registrations
- One way is to hit Download at the top to download a CSV. Then do some Excel magic and filter all Hello for Business registrations to get a good overview of last 30 days. Another way is to filter right away in the portal:
a. Click Method: All
b. Click the dropdown arrow
c. Deselect all methods, except Windows Hello for Business
d. Hit Apply (the button that is now hidden behind your dropdown box. Red card for the UX designer 🙂 ).
Unfortunately, the download reports and onscreen reports only list a maximum of 30 days. No further historical data is available. In addition to that, it is also unknown on what device the user registered Hello for Business. As you probably know, Hello for Business is a security measure that only applies to that one device, and specific user. In the case a user owns 3 Windows devices, it’s unclear if and on how many devices she configured WHfB.
User Registration Details
To get knowledge on which users have configured Windows Hello for Business in the past, go to User Registration Details. This report gives you some insights
After you have enabled Windows Hello for Business in your company, it’s possible to get some knowledge of how many users have registered for WHfB. However, it’s still quite difficult to get precise information on how more secure your company is (assuming WHfB is most secure to log on to a Windows machine). It’s something. But it’s not ideal.
I’m still looking for a report that shows every device and its primary user (assigned user), combined with a Password/Hello for Business login ratio. When all statistics show 100% Hello for Business, my goal is accomplished.
For more information, take a look at https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-methods-activity
By the way, If you ever want to undo a Windows Hello for Business implementation, I wrote an article about that a while ago 🙂 And in case you’re stuck at a Just a Moment PIN screen, this article is for you