Disable Windows Hello on Windows Devices after Intune Enrollment
There is no way of disabling Windows Hello after Intune enrollment, and when using mapped SMB shares and PIN logon, you always get prompted for a username/password to browse the folders.
We need the ability to disable Windows Hello (PIN/bio-login), and force Password login on Windows devices already enrolled in Intune.
Hi, everyone. I want to clarify: is this request for computers managed using the PC software client (PC agent), or is this for computers managed as mobile devices (MDM)?
@nicolai : If you enroll a device with WHFB > then disable it within Intune > the device will still have this setting configured locally.
It is possible to Disable Windows Hello in the Windows Enrollment for All users. It takes a while before it has processed. Also possible go Disable Windows Hello in a Configuration Profile.
Though to get Windows Hello authentication to work with onpremise server you need to configure kerberos authetication to flow from AAD and onprem Domain Controllers. Some certificate configuration.
Richard Verbeek commented
In addition to my last post, this if for computers managed as mobile devices (MDM).
Richard Verbeek commented
Just enabled Windows Hello with Intune. Did not realize this would force users to enter a PIN or even a fingerprint.
After editing the policies, Windows 10-pc's keep asking for PIN and fingerprint.
When disabling Windows Hello with a policy, it would be nice if this configuration is pushed to Windows 10. Right now, the "enabled"-policy stays on the Windows 10-pc's...
@Tyler Castaldo This is for computers managed as mobile Devices (MDM)
We have this issue for both AAD and AD joined computers in multiple tenants. In at least one case we offer users the ability to use MFA unlock on their Win10 devices. If they choose to opt out we are unable to remove the PIN and revert back to just a password. We need the ability to remove the PIN.
Jake Ives commented
I had Windows Hello for business enabled initially and enrolled 2 machines, but a couple weeks later I decided to disable windows hello for business because it was messing around with SMB Shares / Cached Credentials on the endpoints.. Despite disabling Windows Hello for Business, the two machines I initially setup are still stuck wanting the user to enter a pin.. It's driving me insane.
David Benet commented
For us the issue is when Windows Hello is enabled using Intune Windows Enrollment policy settings.
Hi - facing a similar problem. When disabling Windows Hello in the Intune portal, it asks me to set all the requirements for pins etc - shouldn't this be the other way around i.e. disabling them all. I want users whose devices have joined Azure AD to just log in with their domain credentials. Instead - every time someone logs on to the device, they are forced through Windows Hello pin requirements. Am I missing something here?
Please please please fix this. I enabled Windows Hello, hoping that users would have the option set a PIN if preferred, not realizing it would FORCE users into a PIN. After I disabled it, I still cannot remove their PINs.
This is critical and required by many CSP clients as well. Please add this policy asap.
Allyn Withington commented
This is a crucial function required if no WHfB isn't available in an environment. It's completely counter-intuitive to demand a PIN, then ask users to NOT use it if they want to use any form of SSO
For me it worked simply by removing old business accounts that I had in my personal PC, How?
If you go to: Windows configuration -> Accounts -> Access Work or School and remove any undesired or old accounts that you might have there. Then after removing them, you will have again the functionality of allowing you to remove this functionality of the PIN in the Windows Hello PIN.
At least it worked for me. I hope it works for you guys!
Scott Dart commented
We're in a small nonprofit, staffed entirely by volunteers who are flustered by not being able to do things the way they always have. I just want to be able to let them use a username and password to access Azure AD - joined machines. That doesn't seem like such a difficult request.
Thomas Larsen commented
We're experiencing the same problem. Once enrolled and PIN has been set up, we have not been able to remove it again. We're experiencing issues with 802.1x wired auth via ms-chapv2 when mixed with Windows Hello for Business. After login, users are prompted to authenticate to the network because the password was wrong. Cached credentials are up to date and we can access on-prem legacy resources like network drives just fine. I'm just annoyed that I can' disable the Hello feature once it's enabled without reinstalling the device.
On new computers users are able to choose if they want to use Hello features or not.
If the Hello option is enabled within Intune for the computer, it gets enforced for all users on the computer. At a later time if this policy is removed or “not configured” for the computer, then Hello is stuck in an Enabled state. There appears to be a bug in the way Intune removes previously configured settings.
Troels Hviid commented
Tried following the method by Michael M. - Deativating Hello in Azure AD Intune, but not able to save when I have chosen Disable....
How is the environment configured?
We had the same issues but after updating Azure AD Connect to sync 2016 schema and updated the certificates on the domain controllers it worked.
This requires that the AD schema is 2016 or higher (note: functional level can be lower but the schema itself must be 2016). It stores the required information in the msDS-KeyCredentialLink attribute. Check the AAD Connector that the attribute is available and enabled. It will not work without this.
It also requires that the certificate on the domain controllers (KDC Authentication) is configured with a CRL that can be accessed by the computers e.g. for Azure AD joined only, the CRL must be published to a HTTP web site with anonymous access.
We can now access UNC shares without prompt for credentials on our computers that are only joined to Azure AD.
There are plenty of blogs describing how to do this.
Wolfgang Bach commented
You can deploy windows hello for business hybrid and all your password prompts will go away
Phillip Howell commented
This would make my deployments so much smoother. +3