Event banner
Event details
We have hybrid joined AAD devices and are starting to roll-out Windows Hello for Business. Is there a recommended way to remove the ability to log-in with Windows Hello in case we need to block a user from accessing a device in the future. From what we understand, it can only be done with Intune if App Management loads have been moved to Intune, which we are a long way from being able to do.
(I'm not an MS employee)
It won't matter whether they have Hello or a password. Without visibility to the domain controller, the machine won't know that the account or device is disabled and they'll still be able to log into the machine. I may explore the suggestion Eric offered since we've played with blocking credential providers in the past, but currently, we use Entra to SSO for most of our corporate apps and when the account is disabled, they cannot access these items (new mail won't sync, OneDrive won't connect). We sometimes take the step of using the Isolate command in Defender to shut off internet on the device too. However, none of this will stop them from accessing files on the laptop. You can send a remote wipe command to the device, but you could lose corporate data. We're now deploying Entra Joined devices instead of Hybrid, and this is one of the reasons.