Disable Windows Hello on Windows Devices after Intune Enrollment
There is no way of disabling Windows Hello after Intune enrollment, and when using mapped SMB shares and PIN logon, you always get prompted for a username/password to browse the folders.
We need the ability to disable Windows Hello (PIN/bio-login), and force Password login on Windows devices already enrolled in Intune.
Hi, everyone. I want to clarify: is this request for computers managed using the PC software client (PC agent), or is this for computers managed as mobile devices (MDM)?
This is incredibly annoying. PINs are incredibly dumb and decrease security. You're either allowing convenient, low security pins or you require higher security pins at which point you're basically using a password. Except its a password that only works on that one device so the user is stuck remembering multiple passwords when they have an azure ad/onprem ad account specifically to prevent that.
In addition, there are actually good login options in windows hello like biometrics or security tokens so the solution should not be to disable windows hello entirely, but rather to allow us to just disable PINs while leaving other options intact and available. And by available I mean available and not required by default.
AzureAD, no onprem domain. M365 bus prem licenses.
I have disabled Windows Hello in Intune>devices>Windows Enrollment>Windows Hello for Business.
I have an OOB laptop that I logged onto with my 365admin account and enrolled in intune. I then go to log on as the user who will use the device and i am prompted to set up Hello. I choose to skip and it forces me to set up a pin. It says organisation policies requires a pin.
Paul Reno commented
The trouble is, even though I've disabled Windows Hello in the policies, during the setup process it still says "Your organization requires Windows Hello"! this is not even remotely true.
Checkout this new Modern MDM tool we are using, they allow you to create Windows Hello profile to disabled it even as early as during OOBE device enrollment or after enrollment, or allow only a specific policy within windows hello, like allow fingerprint and not pin and etc.
I have disabled Windows Hello in Intune, Azure AD, and our local AD.
During Autopilot deployments, it is still requiring a pin to be setup, even after I wipe the device.
Its not configured by default, but I've gone ahead and set it to disabled. Still asking for the pin.
Is there any way I can disable this? We want to move forward with Autopilot and E5 licensing, but if I'm unable to remove even the pin requirement, we'll have to look at another MDM solution
Edmir Taipi commented
Go to Devices > Windows > Windows Device enrollment
Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Note: The Intune portal might change time to time, (design, arrangements )
@nicolai : If you enroll a device with WHFB > then disable it within Intune > the device will still have this setting configured locally.
It is possible to Disable Windows Hello in the Windows Enrollment for All users. It takes a while before it has processed. Also possible go Disable Windows Hello in a Configuration Profile.
Though to get Windows Hello authentication to work with onpremise server you need to configure kerberos authetication to flow from AAD and onprem Domain Controllers. Some certificate configuration.
Richard Verbeek commented
In addition to my last post, this if for computers managed as mobile devices (MDM).
Richard Verbeek commented
Just enabled Windows Hello with Intune. Did not realize this would force users to enter a PIN or even a fingerprint.
After editing the policies, Windows 10-pc's keep asking for PIN and fingerprint.
When disabling Windows Hello with a policy, it would be nice if this configuration is pushed to Windows 10. Right now, the "enabled"-policy stays on the Windows 10-pc's...
@Tyler Castaldo This is for computers managed as mobile Devices (MDM)
We have this issue for both AAD and AD joined computers in multiple tenants. In at least one case we offer users the ability to use MFA unlock on their Win10 devices. If they choose to opt out we are unable to remove the PIN and revert back to just a password. We need the ability to remove the PIN.
Jake Ives commented
I had Windows Hello for business enabled initially and enrolled 2 machines, but a couple weeks later I decided to disable windows hello for business because it was messing around with SMB Shares / Cached Credentials on the endpoints.. Despite disabling Windows Hello for Business, the two machines I initially setup are still stuck wanting the user to enter a pin.. It's driving me insane.
David Benet commented
For us the issue is when Windows Hello is enabled using Intune Windows Enrollment policy settings.
Hi - facing a similar problem. When disabling Windows Hello in the Intune portal, it asks me to set all the requirements for pins etc - shouldn't this be the other way around i.e. disabling them all. I want users whose devices have joined Azure AD to just log in with their domain credentials. Instead - every time someone logs on to the device, they are forced through Windows Hello pin requirements. Am I missing something here?
Please please please fix this. I enabled Windows Hello, hoping that users would have the option set a PIN if preferred, not realizing it would FORCE users into a PIN. After I disabled it, I still cannot remove their PINs.
This is critical and required by many CSP clients as well. Please add this policy asap.
Allyn Withington commented
This is a crucial function required if no WHfB isn't available in an environment. It's completely counter-intuitive to demand a PIN, then ask users to NOT use it if they want to use any form of SSO
For me it worked simply by removing old business accounts that I had in my personal PC, How?
If you go to: Windows configuration -> Accounts -> Access Work or School and remove any undesired or old accounts that you might have there. Then after removing them, you will have again the functionality of allowing you to remove this functionality of the PIN in the Windows Hello PIN.
At least it worked for me. I hope it works for you guys!