{"id":9643,"date":"2026-05-12T06:48:34","date_gmt":"2026-05-12T06:48:34","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=9643"},"modified":"2026-05-12T06:48:35","modified_gmt":"2026-05-12T06:48:35","slug":"windows-hello-for-business","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/windows-hello-for-business","title":{"rendered":"Windows Hello For Business"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">What each setting does<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Setting<\/th><th>Effect<\/th><\/tr><\/thead><tbody><tr><td><strong>Allow Secondary Authentication Device<\/strong><\/td><td>Allows a companion device (phone) to be used as a second factor on the lock screen<\/td><\/tr><tr><td><strong>Configure Web Sign In Allowed Urls<\/strong><\/td><td>Whitelists specific URLs\/domains the web sign-in credential provider is allowed to navigate to \u2014 required for Web Sign-in to work securely<\/td><\/tr><tr><td><strong>Enable Passwordless Experience<\/strong><\/td><td>Hides password field on lock screen for Entra ID joined devices \u2014 forces WHfB\/web sign-in<\/td><\/tr><tr><td><strong>Enable Web Sign In<\/strong><\/td><td>Turns on the web-based credential provider on the lock screen<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Device lock screen <\/p>\n\n\n\n<p>?? Password field GONE (Passwordless Experience) <\/p>\n\n\n\n<p>?? Web Sign-in option visible <\/p>\n\n\n\n<p>?? Opens browser-style auth page <\/p>\n\n\n\n<p>?? User can sign in with TAP <\/p>\n\n\n\n<p>?? User can sign in with Authenticator passkey <\/p>\n\n\n\n<p>?? WHfB Face\/PIN still available <\/p>\n\n\n\n<p>?? Companion device (phone) usable as second factor<\/p>\n\n\n\n<p><strong>Cannot Force User to Biometric Enroll<\/strong><\/p>\n\n\n\n<p>Check with Remmediation \\ Compliance<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\"># Detect if Windows Hello Face is enrolled\ntry {\n    $ngcPath = \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Microsoft\\Ngc\"\n    \n    # Check NGC folder exists at all (WHfB enrolled)\n    if (-not (Test-Path $ngcPath)) {\n        Write-Output \"WHfB not enrolled\"\n        exit 1\n    }\n\n    # Check for face enrollment via biometric database\n    $biometricDB = Get-ChildItem \"C:\\Windows\\System32\\WinBioDatabase\" -Filter \"*.DB\" -ErrorAction SilentlyContinue\n    \n    # Check for facial feature enrollment in NGC\n    $faceEnrolled = Get-ChildItem $ngcPath -Recurse -ErrorAction SilentlyContinue | \n        Where-Object { $_.Name -match \"1000\" -or $_.Extension -eq \".pbf\" }\n\n    if ($faceEnrolled -or $biometricDB) {\n        Write-Output \"Face enrolled\"\n        exit 0  # Compliant\n    } else {\n        Write-Output \"Face not enrolled\"\n        exit 1  # Non-compliant\n    }\n} catch {\n    Write-Output \"Detection error: $_\"\n    exit 1\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>What each setting does SettingEffectAllow Secondary Authentication DeviceAllows a companion device (phone) to be used as a second factor on the lock screenConfigure Web Sign In Allowed [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9643","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=9643"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9643\/revisions"}],"predecessor-version":[{"id":9644,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9643\/revisions\/9644"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=9643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=9643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=9643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}