Hi, it’s Brent from the Windows Directory Services team. I recently worked a case concerning a user who had the Windows Hello for Business (“WHfB”) policy disabled, but the user could still sign-in to the computer using their PIN. As you may have guessed, the Windows admin team of the Active Directory domain for this user wanted to know how this could be and how they could remove this sign-in option from the user.
Let’s Talk About the Problem
The user retaining the ability to sign-in using their PIN wasn’t the only issue the admin team encountered. After requesting the user to remove the WHfB PIN sign-in, they discovered the option to remove the Windows Hello PIN sign-in was greyed out:
Now, it seemed there wasn’t a way to remove the user’s ability to sign-in with their WHfB PIN.
How Did We Get Here?
A Microsoft Intune policy or Windows Active Directory Group Policy Object (“GPO”) was originally enabled for this user to provision Windows Hello for Business sign-in. Sometime after the user was provisioned and using their PIN to sign-in, the Windows admin team determined this user should no longer use WHfB credentials. To remove the user’s ability to do so, they configured the Intune and/or GPO policy to disable Windows Hello for Business. After refreshing the policy to the user’s computer successfully, they confirmed the PassportforWork registry key was set to disabled as follows:
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork
Enabled REG_DWORD 0x0
The actions performed above will not remove the ability of an already provisioned user from using Windows Hello for Business PIN to sign-in to the Windows computer. To better understand the issue, the following details are provided to clarify the use of policies such as Intune and GPOs in relation to the Windows Hello for Business credential provider.
When either an Intune policy or Windows GPO is configured for a user to enable WHfB, the policy is only enabling the user to enroll for provisioning to use Windows Hello for Business. The provisioning process and authentication process for Windows Hello for Business are two separate components within the Windows Hello for Business feature.
Since the policy only enables the ability for a user to activate the provisioning process to enroll for Windows Hello for Business, the policy becomes irrelevant after the user successfully provisions. Once a user is provisioned, they will be able to continue using the Windows Hello for Business PIN sign-in even when the policy has been set to disabled.
This behavior is expected and by design, which is documented in the following published article: Manage Windows Hello in your organization - Windows Security | Microsoft Learn
However, by setting the policy to disabled, the user no longer has the ability to activate the provisioning process. The remove button under the Windows Hello PIN sign-in option is used to activate provisioning, which would allow the user to un-enroll for Windows Hello for Business. Therefore, the inability to select the remove button is also expected and by design in this configuration.
How will the PIN Sign-in be Removed if Provisioning is Disabled?
To disable Windows Hello for Business in this situation, the Windows Hello container will need to be deleted for the user. To do so, the user will perform the following steps under their user context on each Windows computer they were successfully provisioned prior to the policy being disabled:
- Have the user sign-in to the Windows computer using their username and password.
- Open a command prompt under the user’s context (not admin) and run the following command:
certutil.exe -deleteHelloContainer
- Close the command prompt and restart the computer.
With the policy set to disabled, the user will no longer be able to activate the provisioning process on this or any other Windows computer going forward. We wouldn’t want the user to enroll for Windows Hello for Business again after we removed it, right?
I hope you found this information helpful in your understanding of Windows Hello for Business administration. Until next time.
Brent Crummey
Related Registry Keys
Computer registry - HKLM\SOFTWARE\Policies\Microsoft\PassportForWork
User registry - HKCU\SOFTWARE\Policies\Microsoft\PassportForWork
References
Windows Hello for Business Frequently Asked Questions (FAQ) - Windows Security | Microsoft Learn
Microsoft