Forum Discussion
Disabling PIN-based login on Entra-joined PCs
Hi underQualifried,
Windows Hello for Business (PIN) is controlled by Entra ID and Intune, not local keys.
To disable the PIN prompt:
Option 1 (recommended):
Go to Entra admin center > Protection > Authentication methods > Windows Hello for Business > Disable for all or specific users.
Option 2 (if using Intune):
Create a policy under Devices > Configuration profiles > Identity protection > Configure Windows Hello for Business > Disabled
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure
Registry edits only apply to on-prem or hybrid devices - they won’t stop PIN setup on Entra-joined PCs.
"Create a policy under Devices > Configuration profiles > Identity protection > Configure Windows Hello for Business > Disabled"
I keep seeing this on-line as the way to disable the pin but our Intune options are different. There is no Configuration Profiles under Devices in Intune. The nearest to that I can see is: Devices>Manage devices>Configuration>Policies. I've created a policy there to disable Windows Hello. It shows that the computer in the group that is assigned to the policy did succeed in getting the policy. But the PIN is still enabled on the machine. In the policy under Configuration Settings and Windows Hello For Business, the information bubble says if you disable this policy setting, the device does not provision Windows Hello for Business for any user. There is 2 problems with that. First is there is no disable option. The only options are True and False. So I set it to False. The other is that on a fresh computer, Windows prompts to set up a pin during Windows setup, before the policy takes affect. So it isn't actually disabling the pin.