Forum Discussion
Disable "Windows Hello"
I’m pretty sure that Windows Hello for Business is enabled by default.
Anyway, the following article describes how to manage it, and also disable the feature.
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organization
When that’s said, I would also challenge you to try getting it to work, as it does improve user experience and security if done correctly :)
Best regards
Anders Eide
users signing on with a PIN are blocked from accessing local SMB shares like on NAS devices with simple username/password logins
until MS fix this problem, Windows Hello has to be disabled if you use local file storage in this way (we use a NAS for backing up local systems)
James King
You are absolutely correct. Same deal, a NAS is blocked for the only user of 3 AD-Joined systems who uses the Hello PIN. When that single user logs in w/ regular password, NAS access is fine.new2you2020do they then logon to On-Premise Active Directory for gaining access to the NAS? Or do they use a user/pass as defined on the NAS?
Thierry Vos
They use their AzureAD joined email address & password to connect to the NAS share (which was shared for Public/Everyone on the NAS side). Tell user to choose the "Key" icon at login (Other logon options) and use those creds, and they're all fine.
Tried hacking the Registry for the Hello PIN, since MS disables your ability to change it when AzureAD joined...unless you pay for a certain Tier (or Add-on) within Azure itself. No go...Registry hack didn't help. So if you created/chose the option to use a Hello PIN when joining the workstation to Azure, you're stuck w/ the OPTION.
This is Azure's habit, you pay for this, you pay for that, you subscribe for this, you subscribe for that, for more of that, for ability to do that, etc.. It's not my preference, over a local Domain w/ local Domain AD joined computers being the standard and long term (long term) cost savings.
James King This is definitely still happening. Any network drive will not be able to be accessed if using Windows Hello. It will say "A specified logon session does not exist. It may have already been terminated."
* I have tried just about everything on the the forums regarding Groupedit, Advanced Network Permissions & Settings to no avail.
I run IT for office with 10+ users accessing a server.
RyanRoe I feel your pain! I have exactly the same issue. I've tried everything I can think of and I can find on the interwebs including multiple points in the network connection chain...with two separate computers (one a laptop and one a desktop). I had the network all talking nicely to each other as well as the NAS drive for awhile but then I made the mistake of a WIndows 10 update. Still trying to recover...
As an aside to previous comments on the subject, Synology (one of the two main NAS drive manufacturers) told me via a technical support enquiry that they do not support Windows Hello installations. I generated this enquiry while trying to attach a brand new DiskStation NAS (26 June 2020) to my network.
I told you I've tried every point in the network connectivity chain...
Not sure if you guys have tried this one, but this seems to have done the trick in one of my customers environments (we're doing a bulk enrollment for these devices into Intune, so I've included this as part of the the provisioning package).
Reg add HKLM\SOFTWARE\Policies\Microsoft\PassportForWork /v Enabled /t REG_DWORD /d 0 /f
I also strongly recomend disabling it for now. But it is possible to use hello and a local nas although it is not recomended... you need to change login alternative and choose other user and log in by that was but it is much more inconvinient than just not using Hello.
ErikROsberg There is no need for extra local accounts if you use a NAS. Just make a network connection to your NAS and save it as you connect. That way the credentials will be stored in the Windows Credential Manager (press "start" and type "credential manager" to launch it). You can then easily logon to windows using Windows Hello and the link to your NAS will just work on the basis of your stored password.
You can disable Windows Hello from Windows Enrollment in Intune, but you cant disable PIN after enrollment.
I have suggested this to be fixed, and please vote for my suggestion at Microsoft
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37093513-disable-windows-hello-on-windows-devices-after-int
I have hundreds of terminals affected by this forcefully spread malware.
MS seem simply to remove your "Voice"....
- Seems to me to be more of a Policy like setting on the NAS, which type of NAS do you use? Also: Windows Hello is the way forward into password-less sign ons. So keeping users secure, while keeping it simple ;-)
- I don't believe that.
