Forum Discussion

Kevin Frye's avatar
Kevin Frye
Copper Contributor
May 19, 2017
Solved

Prohibit PIN authentication and force password authentication?

I'm looking to use Intune for the first time for a client.  From what I've discovered, it appears that using Intune asks the users to setup a PIN to sign into their Azure AD-joined computer.  How can...
Intune
mobile device management (mdm)
  • Deleted's avatar
    Deleted
    May 22, 2017

    This was true with the Windows 10 desktop 1511 version, the setting didn't have any effect, but with the 1607 version that changed. I've verified this not that long ago.

John Guy's avatar
John Guy
Copper Contributor
May 22, 2017

I think the PIN element is part of Windows Hello for Business. I am not aware of a way to remove this if they are AD Joined.

 

When creating a PIN it may prompt to verify identity with a text or phone call, this part can be skipped if you have ADFS but a PIN would still be required to set up.

Deleted's avatar
Deleted
May 22, 2017

It's correct that Windows Hello is a services that is included in Windows 10 and that it's the cause of the PIN request and MFA promting. But if it's a Windows 10 desktop version 1607 or above that you are Azure AD joining you can actually disable Windows Hello for Business with a setting in Intune.

https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune

 

But for Windows 10 Mobile this setting will not have any affect since it's by design that Windows 10 Mobile devices will bypass this setting when Azure AD joining these devices.

  • John Guy's avatar
    John Guy
    Copper Contributor
    May 22, 2017
    I have tested removing the requirement for a PIN Code from a windows 10 device (desktop/tablet) but still prompted for a PIN even though Windows Hello was disabled.

    This is what happened in our case so had to keep the PIN feature, this may well have changed after updates now.
    • Deleted's avatar
      Deleted
      May 22, 2017

      This was true with the Windows 10 desktop 1511 version, the setting didn't have any effect, but with the 1607 version that changed. I've verified this not that long ago.

      • Kevin Frye's avatar
        Kevin Frye
        Copper Contributor
        May 22, 2017

        Thank you!  Between you and John Guy, you pieced together why I read reports of this option in Intune to disable PINs was doing nothing.  But this makes sense- the newer versions of Win10 fixed that issue.

         

        Thank you both!

         

        As a follow-up, does anyone know if you can disable PIN authentication without Intune?  I know we can do it via Local Security Policy, but I am curious of Azure AD itself, without Intune, can centerally manage this setting.

         

        Thanks again!

  • Deleted's avatar
    Deleted
    May 22, 2017
    Btw. This is also true even if you don't use ADFS.

Resources