MicrosoftMicrosoftOne challenge with the policy setting, "Interactive logon: Require Windows Hello for Business or smart card," is that it requires that a WHFB PIN has already been created for the user. If an existing employee must sign into a device for the first time (device replacement, employee moves to a new location) or if a new employee is issued a device, it presents a challenge. I supposed we could maintain a separate "password allowed" OU until users have created a PIN, but this creates a security risk and administrative overhead. Would be nice if the policy setting checks whether a user attempting to sign in with a password has a WHFB container already, and THEN enforces it, OR IF NOT it would allow X number of password sign-ins with a warrning before enforcement.
