Disable Windows Hello on Windows Devices after Intune Enrollment
There is no way of disabling Windows Hello after Intune enrollment, and when using mapped SMB shares and PIN logon, you always get prompted for a username/password to browse the folders.
We need the ability to disable Windows Hello (PIN/bio-login), and force Password login on Windows devices already enrolled in Intune.
Please please please fix this. I enabled Windows Hello, hoping that users would have the option set a PIN if preferred, not realizing it would FORCE users into a PIN. After I disabled it, I still cannot remove their PINs.
This is critical and required by many CSP clients as well. Please add this policy asap.
Allyn Withington commented
This is a crucial function required if no WHfB isn't available in an environment. It's completely counter-intuitive to demand a PIN, then ask users to NOT use it if they want to use any form of SSO
For me it worked simply by removing old business accounts that I had in my personal PC, How?
If you go to: Windows configuration -> Accounts -> Access Work or School and remove any undesired or old accounts that you might have there. Then after removing them, you will have again the functionality of allowing you to remove this functionality of the PIN in the Windows Hello PIN.
At least it worked for me. I hope it works for you guys!
Scott Dart commented
We're in a small nonprofit, staffed entirely by volunteers who are flustered by not being able to do things the way they always have. I just want to be able to let them use a username and password to access Azure AD - joined machines. That doesn't seem like such a difficult request.
Thomas Larsen commented
We're experiencing the same problem. Once enrolled and PIN has been set up, we have not been able to remove it again. We're experiencing issues with 802.1x wired auth via ms-chapv2 when mixed with Windows Hello for Business. After login, users are prompted to authenticate to the network because the password was wrong. Cached credentials are up to date and we can access on-prem legacy resources like network drives just fine. I'm just annoyed that I can' disable the Hello feature once it's enabled without reinstalling the device.
Troels Hviid commented
Tried following the method by Michael M. - Deativating Hello in Azure AD Intune, but not able to save when I have chosen Disable....
How is the environment configured?
We had the same issues but after updating Azure AD Connect to sync 2016 schema and updated the certificates on the domain controllers it worked.
This requires that the AD schema is 2016 or higher (note: functional level can be lower but the schema itself must be 2016). It stores the required information in the msDS-KeyCredentialLink attribute. Check the AAD Connector that the attribute is available and enabled. It will not work without this.
It also requires that the certificate on the domain controllers (KDC Authentication) is configured with a CRL that can be accessed by the computers e.g. for Azure AD joined only, the CRL must be published to a HTTP web site with anonymous access.
We can now access UNC shares without prompt for credentials on our computers that are only joined to Azure AD.
There are plenty of blogs describing how to do this.
Wolfgang Bach commented
You can deploy windows hello for business hybrid and all your password prompts will go away
Phillip Howell commented
This would make my deployments so much smoother. +3
I have no problems using the newer Methods, as long as they work.
Its a fact that you encounter username/password problems on local installations (SMB/servers etc) when you useWindows Hello as login method.
If you do a quick Google search it will confirm this.
We have to either disable Windows Hello, or fix this problem.
Why would you be focusing on ways to authenticate which Microsoft have proven to be less secure than the newer methods that are made part of Intune? Don't you want your users to be more secure? Or do you have legacy applications that simply cannot handle it for some reason that I can't think of?