Forum Discussion
Disable "Windows Hello"
I’m pretty sure that Windows Hello for Business is enabled by default.
Anyway, the following article describes how to manage it, and also disable the feature.
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organization
When that’s said, I would also challenge you to try getting it to work, as it does improve user experience and security if done correctly :)
Best regards
Anders Eide
I have hundreds of terminals affected by this forcefully spread "Hello Business" malware.
MS installs its malware indiscriminately.
"User Experience" is rather miserable as a result.
This malware keeps trying to install and fail. - This disrupts the whole operation. These are not Office PC's running MS Office or like. There is Windows and an Application that should not be obstructed by the "Hello Business" or a "Game Bar Installation" EVER.So for this environment both are MALWARE forced in by the Microsoft.
Need a simple way to disable this malware in the non-domain, non-Azure ... environment with a script or a reg hack.
P.S. Could Microsoft kindly explain why the "Game Bar" installation is forced onto the Business PC's and how to stop this MALWARE.The use case MSFT failed to test was a shared computer. Having this forced on users of a shared computer is untenable. This should have been optional, not forced on user and Admins - Anders Eide
- This feature reduces security. The number of my users that forget their password because they never enter it is a security nightmare. They end up writing down their passwords! If they had to enter them often they'd remember.
Anders Eide To add to the SMB issue, PC's setup with Windows Hello during Windows setup complain that they have no local administrator account during recovery - meaning they can't be recovered.
The idea is solid, but as with virtually all of the recent 365 'improvements' turned on by default (clutter, focussed inbox etc) they're being foisted on users that don't need them, they are tricky if not impossible to remove, and just generate support issues needlessly.
- Unless you have setup something incorrectly with Intune or another MDM provider, the first user to logon to a system will be given Admin permissions. The Local Admin account has been disabled by default since Windows Vista.
users signing on with a PIN are blocked from accessing local SMB shares like on NAS devices with simple username/password logins
until MS fix this problem, Windows Hello has to be disabled if you use local file storage in this way (we use a NAS for backing up local systems)
James King
You are absolutely correct. Same deal, a NAS is blocked for the only user of 3 AD-Joined systems who uses the Hello PIN. When that single user logs in w/ regular password, NAS access is fine.new2you2020do they then logon to On-Premise Active Directory for gaining access to the NAS? Or do they use a user/pass as defined on the NAS?
James King This is definitely still happening. Any network drive will not be able to be accessed if using Windows Hello. It will say "A specified logon session does not exist. It may have already been terminated."
* I have tried just about everything on the the forums regarding Groupedit, Advanced Network Permissions & Settings to no avail.
I run IT for office with 10+ users accessing a server.
RyanRoe I feel your pain! I have exactly the same issue. I've tried everything I can think of and I can find on the interwebs including multiple points in the network connection chain...with two separate computers (one a laptop and one a desktop). I had the network all talking nicely to each other as well as the NAS drive for awhile but then I made the mistake of a WIndows 10 update. Still trying to recover...
As an aside to previous comments on the subject, Synology (one of the two main NAS drive manufacturers) told me via a technical support enquiry that they do not support Windows Hello installations. I generated this enquiry while trying to attach a brand new DiskStation NAS (26 June 2020) to my network.
I told you I've tried every point in the network connectivity chain...
I also strongly recomend disabling it for now. But it is possible to use hello and a local nas although it is not recomended... you need to change login alternative and choose other user and log in by that was but it is much more inconvinient than just not using Hello.
ErikROsberg There is no need for extra local accounts if you use a NAS. Just make a network connection to your NAS and save it as you connect. That way the credentials will be stored in the Windows Credential Manager (press "start" and type "credential manager" to launch it). You can then easily logon to windows using Windows Hello and the link to your NAS will just work on the basis of your stored password.
