WHfB make exception for one user + remove assigned WHfB phone number from user

Question

Hi all,

I have set up an Intune security policy to use Windows Hello for Business upon log in, so my colleagues only need to use the pin to sign in into their machines.

We have an account which functions as an account for interns. (ex: intern@company.com) This account changes users/machines frequently. After setting up Intune, I enabled WHfB on all company devices.

The first intern after this change used their private phone number to set up their pin. So their phone number is now linked to intern@company.com

Now I have encountered this problem:

The intern is no longer present, but their phone number still shows up when I try to set up this account for a new member (device asks to confirm phone number upon log-in attempt).

Also, I need to set up intern@company.com for multiple devices (and users) so I want to disable WHfB only on this device (I tried to make an exception in Intune, WHfB cannot be changed from "all devices")

So, is it possible to remove the phone number from this user?

How can I make an exception to Win Hello on this account?

Every tip is greatly appreciated -K

Answer 1

@Konstantinas Grigalaitis, Thanks for posting in Q&A.

For your issue, here are some suggestions you can refer.

Q1.is it possible to remove the phone number from this user?

A1. We can go to the https://myaccount.microsoft.com/ website and login in using the account and click UPDATE INFO under Security info to see if there exist the previous phone number and we can try to remove it, after that we can check if we can use the account to login in using WHfB without phone number authentication.

Q2. How can I make an exception to Win Hello on this account?

A1. If we enable Windows Hello for Business during enrollment, we cannot make an exception to Windows Hello for Business on one specific account, because we can only disable it for all users and device, however, we can first disable it and enable it via Account Protection policy, then we can exclude one specific account. If we enable it after device enrollment and configure it through Account Protection policy, we can create a user group containing the account to exclude from this policy, after that the account will not apply this policy.

https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure

Hope above information can help you, if there is any update, feel free to let me know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@Konstantinas Grigalaitis, Thanks for your share.

We are really glad to the problem has been resolved. Please allow me to give a brief summary of this problem to help people with the same problem.

Issue Description:

How to make an exception to Windows Hello policy for one account and remove phone number linked from the account.

Resolution:

Thanks for your time and have a good day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.