Windows 10: Windows Hello for business user limitation per machine without TPM?

I was wondering if anyone knew if there was a user limitation on a machine for setting up users with windows hello for business when you dont use the TMP chip. I know that with the TPM chip there is a limitation of 10 users, but when you dont have the option selected you can add more than the 10, I have tested with 12 users and was wondering if there was any limitation in windows or if there was none like the amount of accounts on a machine.

:)

 

TPM clear doesnt affect Windows Hello

My observations :

Steps :

1. Set windows Hello with fingerprint and PIN

2. Run Clear-Tpm command

3. system gets rebooted

4. Windows hello finger print reader working , user can still unlock using fingerprint.





Ques 1 : Does TPM entries for windows Hello gets recreated/restored upon reboot?



Steps :

1. Set windows Hello with fingerprint and PIN

2. Run Disable-TpmAutoProvisioning -OnlyForNextRestart

3. Run Clear-Tpm command

4. system gets rebooted

5. Windows hello finger print reader not working , user cannot unlock using fingerprint.

6. Run 'Prepare TPM' from tpm.msc, TPM state changes to Ready

7. user still cannot unlock using fingerprint.

8. Restart Passport container service, it reloads Windows Hello hardare container

9. User can login using fingerprint.



Ques 2 : Does Passport container service restores TPM entries for Windows Hello?

 

Question about Windows Hello for business

Hi all,

As our company want to implement Windows Hello for business in Windows 10, I have few questions about this.

1. Once I enabled Windows Hello PIN in Windows 10, the domain user account password also stored in TPM?

2. If yes, any setting need to apply?

3. If no, how to protect domain user account password in Windows 10?

4. Do I need to backup any data in TPM or reset TPM setting once enable Windows Hello?

5. Once domain user account password expired or locked, can I use Windows Hello pin to login OS?

 

Can't disable Windows Hello for Business

I receive this error in Event Viewer whenever I boot Windows 10 Pro version 1709 build 16299.309.

Windows Hello for Business provisioning will not be launched.

Device is AAD joined ( AADJ or DJ++ ): Not Tested

User has logged on with AAD credentials: No

Windows Hello for Business policy is enabled: Not Tested

Local computer meets Windows hello for business hardware requirements: Not Tested

User is not connected to the machine via Remote Desktop: Yes

User certificate for on premise auth policy is enabled: Not Tested

Machine is governed by none policy.

See Hybrid cloud Kerberos trust deployment (Windows Hello for Business) for more details.

I tried the following suggestion:

"Type gpedit.msc Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Passport for Work OR Windows Hello for Business Edit "Use Microsoft Passport for Work" OR "Use Windows Hello for Business" and set it to disabled."

I checked the registry and \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled is set to 0.

I am using the Administrator account.

The error continues at every bootup.

Thank you.