Forum Discussion
Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them.
I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot.
textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work.
Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
6 Replies
A quick clarification here, because there is some confusion in the thread about how this works.
The PIN prompt you are seeing is triggered by Windows Hello for Business (WHfB) provisioning, which Windows attempts automatically when a device is Microsoft Entra joined.
A few important points that often cause confusion:
- WHfB is not controlled by Authentication Methods in Entra ID
The setting under Authentication Methods relates to passkey / FIDO scenarios, not Windows Hello provisioning on the device.
Windows Hello for Business is primarily controlled by:
- Device configuration (Intune or local policy)
- Provisioning behavior during Entra join
- Registry keys alone are often ignored on Entra-joined devices
The keys you applied:
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork
can work in some scenarios, but they are not always honored once the device is fully Entra joined because the Hello provisioning workflow is triggered during the first interactive sign-in.
- The correct way to disable WHfB without Intune
Since these are shared machines and you are not using Intune for Windows management, the reliable method is Local Group Policy.
Run:
gpedit.msc
Then configure:
Computer Configuration
Administrative Templates
Windows Components
Windows Hello for BusinessSet:
Use Windows Hello for Business → Disabled
Then reboot the device.
This stops Windows from provisioning the PIN during sign-in.
- Important behavior to know
If a user already created a PIN before the policy was disabled, that PIN will remain usable. The policy only prevents new provisioning, which is why Chris still sees existing PINs but users can now sign in with their password.
For shared Entra-joined machines, disabling WHfB locally like this is a common pattern. In larger environments the same configuration would typically be deployed through Intune Settings Catalog.
underQualifried
HelloWhen a device is associated with Microsoft Entra, Windows automatically attempts to provision Windows Hello for Business (WHfB) during the user's first login. This is what triggers the PIN setup request.
This behavior is not controlled by Authentication Methods in Entra, because the Windows Hello PIN is a device authentication mechanism, not a tenant authentication method.
In environments where Intune is not used, the recommended way to prevent this provisioning is to disable Windows Hello for Business locally on the device.
You can configure this through Local Group Policy:
Computer Configuration
Administrative Templates
Windows Components
Windows
Hello for Business.
Set the option Windows Hello for Business Disabled
and restart the device.
This prevents Windows from attempting to provision Windows Hello, and users will be able to sign in using only their username and password, which may be more appropriate for shared or secondary machines, such as the two devices you described
Thank you, this seems to have done the trick. Sadly the PIN each user has configured prior to disablement can't be removed, but this isn't a major issue as they can still sign in using their 365 password which is what we wanted. Have a good day and thanks again!
Great to hear that the solution helped resolve the issue.
Thank you for sharing the outcome here in the discussion. This feedback is very useful for other professionals who may face the same situation.
If you have any further questions in the future, feel free to open a new question. Have a great day!
Hi AladinH
The setting in option 1 does not exist. Can you share a screenshot or a working link to a current Microsoft Learn article that describes this please, as I cannot find any WHfB settings in Entra, and my scenario is the same as OP.Hi underQualifried,
Windows Hello for Business (PIN) is controlled by Entra ID and Intune, not local keys.
To disable the PIN prompt:
Option 1 (recommended):
Go to Entra admin center > Protection > Authentication methods > Windows Hello for Business > Disable for all or specific users.
Option 2 (if using Intune):
Create a policy under Devices > Configuration profiles > Identity protection > Configure Windows Hello for Business > Disabled
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure
Registry edits only apply to on-prem or hybrid devices - they won’t stop PIN setup on Entra-joined PCs.
