Windows Hello hybrid key trust checking
Question
Hi
I am working with a client on a WHfB implementation using hybrid key trust deployment method. The customer has opted to use GPO as they not quite ready yet for Intune policies.
The machines tested are using 1909 of Windows 10 and are Hybrid joined which much of the policies being deployed using GPO however I noticed when the device is in MEM it has Intune workloads set for device configuration.
With this model can I ask if its ok to use GPO WHfB policies over Intune or would I need to use Intune policies? When reviewing the configuration it seems that it is applying the policies.
The Dsregcmd command shows the policy enabled as no, would I expect this if the policy is not delivered by Intune?
Also I want to confirm that the machine is using WhFB rather than just regular Windows Hello. Is there a way I can confirm this?
Many thanks in advance for advice on this.
Answers ( 2 )
I think you can use GPO even though you have enabled the co-management workload for Intune policies. This is because the co-management workload is to control SCCM and Intune policies hitting each other creating conflicts. However, here the scenario is GPO vs Intune and that is handled differently. I think you see the expected behavior.
RSOP is the best place to check whether the group policy settings are applied or not.
Make sure you don’t set this policy “MDMWinsOverGP”
Here is the post from Vimal on this point
https://www.anoopcnair.com/windows-10-mdm-csp-policies-override-group-policy-settings/
got this resolved in the end. gpo was applying and yes your right the workloads in mecm don’t make a difference.
looking at the logs it results in an event Id 300 indicating success of whfb provisioning.