Forum Discussion
Solved
Prohibit PIN authentication and force password authentication?
I'm looking to use Intune for the first time for a client. From what I've discovered, it appears that using Intune asks the users to setup a PIN to sign into their Azure AD-joined computer. How can I prevent the use of a PIN to log into the machine and for password authentication?
I believe the use of a PIN also involves 2FA using their mobile phone number, but I'd prefer to require password authentication.
If I'm off base, please correct my understanding.
Thank you!
Kevin Frye
9 Replies
- In this case we are just concerned with Windows 10 computers. They will ultimately be Azure AD joined and without a local domain controller.
I think the PIN element is part of Windows Hello for Business. I am not aware of a way to remove this if they are AD Joined.
When creating a PIN it may prompt to verify identity with a text or phone call, this part can be skipped if you have ADFS but a PIN would still be required to set up.
It's correct that Windows Hello is a services that is included in Windows 10 and that it's the cause of the PIN request and MFA promting. But if it's a Windows 10 desktop version 1607 or above that you are Azure AD joining you can actually disable Windows Hello for Business with a setting in Intune.
https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune
But for Windows 10 Mobile this setting will not have any affect since it's by design that Windows 10 Mobile devices will bypass this setting when Azure AD joining these devices.
- What type of devices are in your use case? And do you have AD FS?
