# Entra joined with hello

In this scenario, Windows Hello for Business (WHfB) is the primary sign-in method — PIN, fingerprint, or facial recognition. Peig Web Sign-In and Temporary Access Pass (TAP) are configured as fallbacks for situations where Hello is unavailable or has not yet been set up.

***

## Prerequisites

* Device is Microsoft Entra Joined
* Windows 10 or 11 Pro, Enterprise, or Education
* Device is managed by Microsoft Intune
* User has a valid Microsoft Entra ID license (Azure AD Premium P1 or higher recommended)

***

{% stepper %}
{% step %}

### Configure Windows Hello for Business

1. Go to **Intune admin center → Devices → Configuration profiles**
2. Click **+ Create profile**
3. Select **Platform: Windows 10 and later** and **Profile type: Settings catalog**
4. Name the profile (e.g. `WHfB Policy`) and click **Create**
5. In **Configuration settings**, click **+ Add settings** and search for `hello`
6. Add the following settings:

| Setting                                 | Value                  |
| --------------------------------------- | ---------------------- |
| Use Windows Hello For Business (Device) | Enabled                |
| Allow Use of Biometrics                 | Enabled                |
| Minimum PIN Length                      | 6 (or per your policy) |
| Require Security Device                 | Enabled                |

7. Assign the profile to your Entra Joined device group
8. Click **Create**

{% hint style="info" %}
Use the Settings Catalog — not GPO or CSP profiles. Settings Catalog is the current recommended method and applies at the next policy sync or device reboot.
{% endhint %}

#### First-time user experience

After sign-in and policy application, the Windows Hello setup wizard runs automatically:

1. User verifies identity via password or TAP
2. User creates a PIN (per policy)
3. User optionally enrolls biometric sign-in
4. Windows Hello becomes the default sign-in method going forward
   {% endstep %}

{% step %}

### Configure Peig Web Sign-In as fallback

1. Go to **Intune admin center → Devices → Configuration profiles**
2. Click **+ Create profile**
3. Select **Platform: Windows 10 and later** and **Profile type: Settings catalog**
4. Name the profile (e.g. `Enable Web Sign-In`)
5. In the **Authentication** section, add the following settings:

| Setting                            | Value                  |
| ---------------------------------- | ---------------------- |
| Enable Web Sign In                 | Enabled                |
| Enable Passwordless Experience     | Enabled                |
| Configure Web Sign In Allowed URLs | `dev-integ.aducid.com` |

6. Assign to your Entra Joined device group and click **Create**

#### User experience

1. On the lock screen, select **Sign-in options → Sign in with web account**
2. A QR code and URL appear
3. The user scans the QR code on their Peig-registered mobile device
4. Peig handles the full authentication flow
   {% endstep %}

{% step %}

### Configure Temporary Access Pass (TAP) as fallback

TAP is a time-limited one-time passcode for onboarding, provisioning, or recovery scenarios where other methods are unavailable.

#### Enable TAP in Entra ID

1. Go to [https://entra.microsoft.com](https://entra.microsoft.com/)
2. Navigate to **Microsoft Entra ID → Authentication methods → Temporary Access Pass**
3. Click **Enable**
4. Configure allowed duration and whether TAPs are one-time use

#### Issue a TAP for a user

1. Go to **Users → \[select user] → Authentication methods**
2. Click **+ Add authentication method → Temporary Access Pass**
3. Set validity period and one-time use preference
4. Click **Add** and copy the generated code

{% hint style="danger" %}
The TAP code is shown only once. Copy it immediately and deliver it to the user securely.
{% endhint %}

#### User experience

1. On the lock screen, click **Sign-in options → Temporary Access Pass**
2. Enter the TAP code
3. Device authenticates via Microsoft Entra ID
4. The Windows Hello setup wizard runs immediately after — the user sets up Hello for future sign-ins
   {% endstep %}
   {% endstepper %}

***

{% hint style="success" %}
Done with this scenario? Return to [Entra Device Enrollment](/welcome-to-peig-documentation/deployment-guides/microsoft-365/entra-device-enrollment.md) or continue to [Scenario 2](/welcome-to-peig-documentation/deployment-guides/microsoft-365/entra-device-enrollment/entra-joined-without-hello.md) to see how to configure devices without Windows Hello.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.peig.io/welcome-to-peig-documentation/deployment-guides/microsoft-365/entra-device-enrollment/entra-joined-with-hello.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.