Forum Discussion
Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens ...
Windows Hello for Business (PIN) is controlled by Entra ID and Intune, not local keys.
To disable the PIN prompt:
Option 1 (recommended):
Go to Entra admin center > Protection > Authentication methods > Windows Hello for Business > Disable for all or specific users.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-disable
Option 2 (if using Intune):
Create a policy under Devices > Configuration profiles > Identity protection > Configure Windows Hello for Business > Disabled
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure
Registry edits only apply to on-prem or hybrid devices - they won’t stop PIN setup on Entra-joined PCs.