Home

Disable "Windows Hello"

%3CLINGO-SUB%20id%3D%22lingo-sub-143151%22%20slang%3D%22en-US%22%3EDisable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143151%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20am%20an%20admin%2C%20and%20attempting%20to%20disable%20%22Windows%20Hello%20for%20Business%22%20also%20referred%20to%20as%202-step%20authentication.%20From%20what%20I%20gather%2C%20this%20option%20is%20set%20as%20%22disabled%22%20by%20default.%20I%20confirmed%20this.%20However%20Whenever%20I%20join%20a%20device%20to%20Azure%20AD%2C%20it%20is%20always%20prompted%20with%20%22Windows%20Hello%22%20and%20to%20create%20a%20pin.%20Where%20can%20I%20find%20the%20option%20that%20allows%20me%20to%20disable%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-143151%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Hello%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391729%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74103%22%20target%3D%22_blank%22%3E%40Anders%20Eide%3C%2FA%3E%26nbsp%3BTo%20add%20to%20the%20SMB%20issue%2C%20PC's%20setup%20with%20Windows%20Hello%20during%20Windows%20setup%20complain%20that%20they%20have%20no%20local%20administrator%20account%20during%20recovery%20-%20meaning%20they%20can't%20be%20recovered.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20idea%20is%20solid%2C%20but%20as%20with%20virtually%20all%20of%20the%20recent%20365%20'improvements'%20turned%20on%20by%20default%20(clutter%2C%20focussed%20inbox%20etc)%20they're%20being%20foisted%20on%20users%20that%20don't%20need%20them%2C%20they%20are%20tricky%20if%20not%20impossible%20to%20remove%2C%20and%20just%20generate%20support%20issues%20needlessly.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-366788%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366788%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20disable%20Windows%20Hello%20from%20Windows%20Enrollment%20in%20Intune%2C%20but%20you%20cant%20disable%20PIN%20after%20enrollment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20suggested%20this%20to%20be%20fixed%2C%20and%20please%20vote%20for%20my%20suggestion%20at%20Microsoft%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F37093513-disable-windows-hello-on-windows-devices-after-int%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F37093513-disable-windows-hello-on-windows-devices-after-int%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357088%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357088%22%20slang%3D%22en-US%22%3EI%20don't%20believe%20that.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292598%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292598%22%20slang%3D%22en-US%22%3ESeems%20to%20me%20to%20be%20more%20of%20a%20Policy%20like%20setting%20on%20the%20NAS%2C%20which%20type%20of%20NAS%20do%20you%20use%3F%20Also%3A%20Windows%20Hello%20is%20the%20way%20forward%20into%20password-less%20sign%20ons.%20So%20keeping%20users%20secure%2C%20while%20keeping%20it%20simple%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199528%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199528%22%20slang%3D%22en-US%22%3E%3CP%3Eusers%20signing%20on%20with%20a%20PIN%20are%20blocked%20from%20accessing%20local%20SMB%20shares%20like%20on%20NAS%20devices%20with%20simple%20username%2Fpassword%20logins%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Euntil%20MS%20fix%20this%20problem%2C%20Windows%20Hello%20has%20to%20be%20disabled%20if%20you%20use%20local%20file%20storage%20in%20this%20way%20(we%20use%20a%20NAS%20for%20backing%20up%20local%20systems)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144348%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144348%22%20slang%3D%22en-US%22%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3EI%E2%80%99m%20pretty%20sure%20that%20Windows%20Hello%20for%20Business%20is%20enabled%20by%20default.%3CBR%20%2F%3E%3CBR%20%2F%3EAnyway%2C%20the%20following%20article%20describes%20how%20to%20manage%20it%2C%20and%20also%20disable%20the%20feature.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Faccess-protection%2Fhello-for-business%2Fhello-manage-in-organization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Faccess-protection%2Fhello-for-business%2Fhello-manage-in-organization%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20that%E2%80%99s%20said%2C%20I%20would%20also%20challenge%20you%20to%20try%20getting%20it%20to%20work%2C%20as%20it%20does%20improve%20user%20experience%20and%20security%20if%20done%20correctly%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%20%3CBR%20%2F%3EAnders%20Eide%3C%2FLINGO-BODY%3E
Joshua Dolecal
New Contributor

I am an admin, and attempting to disable "Windows Hello for Business" also referred to as 2-step authentication. From what I gather, this option is set as "disabled" by default. I confirmed this. However Whenever I join a device to Azure AD, it is always prompted with "Windows Hello" and to create a pin. Where can I find the option that allows me to disable this?

6 Replies
Highlighted
Hi!

I’m pretty sure that Windows Hello for Business is enabled by default.

Anyway, the following article describes how to manage it, and also disable the feature.
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organi...

When that’s said, I would also challenge you to try getting it to work, as it does improve user experience and security if done correctly :)

Best regards
Anders Eide

users signing on with a PIN are blocked from accessing local SMB shares like on NAS devices with simple username/password logins

 

until MS fix this problem, Windows Hello has to be disabled if you use local file storage in this way (we use a NAS for backing up local systems)

Seems to me to be more of a Policy like setting on the NAS, which type of NAS do you use? Also: Windows Hello is the way forward into password-less sign ons. So keeping users secure, while keeping it simple ;)
I don't believe that.

You can disable Windows Hello from Windows Enrollment in Intune, but you cant disable PIN after enrollment.

 

I have suggested this to be fixed, and please vote for my suggestion at Microsoft

 

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37093513-disable-windows-hello...

 

@Anders Eide To add to the SMB issue, PC's setup with Windows Hello during Windows setup complain that they have no local administrator account during recovery - meaning they can't be recovered.

 

The idea is solid, but as with virtually all of the recent 365 'improvements' turned on by default (clutter, focussed inbox etc) they're being foisted on users that don't need them, they are tricky if not impossible to remove, and just generate support issues needlessly. 

Related Conversations