{"id":9643,"date":"2026-05-12T06:48:34","date_gmt":"2026-05-12T06:48:34","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=9643"},"modified":"2026-05-12T06:48:35","modified_gmt":"2026-05-12T06:48:35","slug":"windows-hello-for-business","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/windows-hello-for-business","title":{"rendered":"Windows Hello For Business"},"content":{"rendered":"\n

What each setting does<\/h3>\n\n\n\n
Setting<\/th>Effect<\/th><\/tr><\/thead>
Allow Secondary Authentication Device<\/strong><\/td>Allows a companion device (phone) to be used as a second factor on the lock screen<\/td><\/tr>
Configure Web Sign In Allowed Urls<\/strong><\/td>Whitelists specific URLs\/domains the web sign-in credential provider is allowed to navigate to \u2014 required for Web Sign-in to work securely<\/td><\/tr>
Enable Passwordless Experience<\/strong><\/td>Hides password field on lock screen for Entra ID joined devices \u2014 forces WHfB\/web sign-in<\/td><\/tr>
Enable Web Sign In<\/strong><\/td>Turns on the web-based credential provider on the lock screen<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Device lock screen <\/p>\n\n\n\n

?? Password field GONE (Passwordless Experience) <\/p>\n\n\n\n

?? Web Sign-in option visible <\/p>\n\n\n\n

?? Opens browser-style auth page <\/p>\n\n\n\n

?? User can sign in with TAP <\/p>\n\n\n\n

?? User can sign in with Authenticator passkey <\/p>\n\n\n\n

?? WHfB Face\/PIN still available <\/p>\n\n\n\n

?? Companion device (phone) usable as second factor<\/p>\n\n\n\n

Cannot Force User to Biometric Enroll<\/strong><\/p>\n\n\n\n

Check with Remmediation \\ Compliance<\/p>\n\n\n\n

# Detect if Windows Hello Face is enrolled\ntry {\n    $ngcPath = \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Microsoft\\Ngc\"\n    \n    # Check NGC folder exists at all (WHfB enrolled)\n    if (-not (Test-Path $ngcPath)) {\n        Write-Output \"WHfB not enrolled\"\n        exit 1\n    }\n\n    # Check for face enrollment via biometric database\n    $biometricDB = Get-ChildItem \"C:\\Windows\\System32\\WinBioDatabase\" -Filter \"*.DB\" -ErrorAction SilentlyContinue\n    \n    # Check for facial feature enrollment in NGC\n    $faceEnrolled = Get-ChildItem $ngcPath -Recurse -ErrorAction SilentlyContinue | \n        Where-Object { $_.Name -match \"1000\" -or $_.Extension -eq \".pbf\" }\n\n    if ($faceEnrolled -or $biometricDB) {\n        Write-Output \"Face enrolled\"\n        exit 0  # Compliant\n    } else {\n        Write-Output \"Face not enrolled\"\n        exit 1  # Non-compliant\n    }\n} catch {\n    Write-Output \"Detection error: $_\"\n    exit 1\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
What each setting does SettingEffectAllow Secondary Authentication DeviceAllows a companion device (phone) to be used as a second factor on the lock screenConfigure Web Sign In Allowed […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9643","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t