Windows Hello for Business (WHfB) Considerations During Migration
How PowerSyncPro handles WHfB settings, cryptography, and biometrics during a device migration.
Written by Jamie Richard
Updated at June 2nd, 2026
Table of Contents
The Scenario
When migrating workstations between Microsoft 365 tenants, one of the most common questions administrators have is how to handle existing Windows Hello for Business (WHfB) configurations.
PowerSyncPro fully handles WHfB during the migration process, automatically resetting Windows Hello settings, underlying cryptographic keys, and biometric data. Depending on your chosen configurations, the PowerSyncPro Migration Agent reconfigures the workstation's join status while also clearing out these legacy WHfB settings alongside Intune enrollments and Azure Information Protection data.
How PowerSyncPro Handles Windows Hello for Business
If a workstation is connected to a source tenant that has WHfB enabled, PowerSyncPro actively resets the WHfB device configuration so that the machine is wiped clean and ready to receive the new target tenant's WHfB configuration.
- Automated Execution: This reset is handled seamlessly in the background and is triggered automatically during the "Device State" phase of the migration, provided a directory join option is selected in your runbook.
- The End-User Experience: Because the legacy PIN and biometric data (fingerprint, facial recognition) are inherently tied to the source tenant's identity, the user will be required to go through the WHfB setup wizard again upon logging into the target tenant for the first time. They will be prompted to create a new PIN and register their biometrics to secure their new target identity.
Â
💡 Good to Know: PRTs and Intune Enrollment
As noted in our Intune Enrollment Post-Migration: Requirements & Troubleshooting document, enrolling in WHfB after a migration is highly beneficial. Completing the WHfB wizard generates an MFA-backed Primary Refresh Token (PRT) for the user. If your target Intune auto-enrollment was initially blocked by Conditional Access MFA requirements, generating this PRT via the WHfB setup will satisfy the requirement, allowing the device to successfully enroll into Intune during the Migration Agent's next hourly retry.
Â
Target Tenant Controls: Entra ID vs. Active Directory (Hybrid)
While PowerSyncPro clears the legacy WHfB configuration, the target environment ultimately dictates whether the user is presented with the WHfB enrollment prompt at their first login. How this is enforced depends on your target join state.
For Entra ID Targets (Cloud-Only)
When targeting a migration directly into Entra ID, you can manage this experience within the Intune portal by navigating to Devices → Enrollment → Windows Hello for Business. The Configure Windows Hello for Business setting determines the end-user behavior:
- Enabled: The WHfB setup is strictly enforced, and users cannot skip the registration process.
- Not Configured: Users will be prompted to set up WHfB, but they will have the option to skip it.
- Disabled: The user will not be prompted to set up WHfB at all during login.
💡 Tip: Scoping WHfB to Specific Devices
If administrators want to limit WHfB enrollment to only specific machines rather than the entire tenant, you should set the global Enrollment setting to Disabled. You can then enable WHfB using specific configuration policies targeting dedicated device groups. Note: Because these policies rely on Intune, they will apply once the migrated machine successfully enrolls into Intune and will be enforced on subsequent logins or machine unlocks.
Â
For Active Directory Targets (Hybrid Entra Join)
If you are migrating the workstation to an on-premises Active Directory target, PowerSyncPro's involvement with WHfB ends once the legacy configuration is cleared. The enforcement of your new WHfB setup is handled entirely by your native target environment mechanisms.
After PowerSyncPro successfully joins the machine to the target Active Directory, the machine must first successfully register with the target Entra tenant via the standard background Hybrid join process. Subsequently, the device must enroll into Intune (typically facilitated via a Group Policy Object / GPO). Only once these native background synchronization and enrollment processes complete will the target tenant's WHfB policies apply to the workstation and prompt the user to configure their new credentials.
Bypassing the WHfB Prompt via Runbook (Advanced)
While setting up WHfB is recommended for modern authentication, some organizations prefer a completely silent desktop experience post-migration and do not want users prompted to register a new PIN or biometric login immediately, regardless of Intune settings.
If you want to forcefully suppress the WHfB prompt locally after the migration completes, you must execute a custom completion script to disable the WHfB registry keys.
You can add the following PowerShell script to the Completion tab of your runbook to disable the PassportForWork post-logon provisioning:
if(!(Test-Path 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork')) {
New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Type Container
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Name 'Enabled' -Value "0" -PropertyType DWORD -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Name 'DisablePostLogonProvisioning' -Value "0" -PropertyType DWORD -ForceYou can find more information about setting up a completion script in this article: How to create a command line package to Run.Â