What each setting does
| Setting | Effect |
|---|---|
| Allow Secondary Authentication Device | Allows a companion device (phone) to be used as a second factor on the lock screen |
| Configure Web Sign In Allowed Urls | Whitelists specific URLs/domains the web sign-in credential provider is allowed to navigate to — required for Web Sign-in to work securely |
| Enable Passwordless Experience | Hides password field on lock screen for Entra ID joined devices — forces WHfB/web sign-in |
| Enable Web Sign In | Turns on the web-based credential provider on the lock screen |
Device lock screen
?? Password field GONE (Passwordless Experience)
?? Web Sign-in option visible
?? Opens browser-style auth page
?? User can sign in with TAP
?? User can sign in with Authenticator passkey
?? WHfB Face/PIN still available
?? Companion device (phone) usable as second factor
Cannot Force User to Biometric Enroll
Check with Remmediation \ Compliance
# Detect if Windows Hello Face is enrolled
try {
$ngcPath = "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc"
# Check NGC folder exists at all (WHfB enrolled)
if (-not (Test-Path $ngcPath)) {
Write-Output "WHfB not enrolled"
exit 1
}
# Check for face enrollment via biometric database
$biometricDB = Get-ChildItem "C:\Windows\System32\WinBioDatabase" -Filter "*.DB" -ErrorAction SilentlyContinue
# Check for facial feature enrollment in NGC
$faceEnrolled = Get-ChildItem $ngcPath -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match "1000" -or $_.Extension -eq ".pbf" }
if ($faceEnrolled -or $biometricDB) {
Write-Output "Face enrolled"
exit 0 # Compliant
} else {
Write-Output "Face not enrolled"
exit 1 # Non-compliant
}
} catch {
Write-Output "Detection error: $_"
exit 1
}
Loading...