05-19-2017 12:35 PM
05-19-2017 12:35 PM
I'm looking to use Intune for the first time for a client. From what I've discovered, it appears that using Intune asks the users to setup a PIN to sign into their Azure AD-joined computer. How can I prevent the use of a PIN to log into the machine and for password authentication?
I believe the use of a PIN also involves 2FA using their mobile phone number, but I'd prefer to require password authentication.
If I'm off base, please correct my understanding.
I think the PIN element is part of Windows Hello for Business. I am not aware of a way to remove this if they are AD Joined.
When creating a PIN it may prompt to verify identity with a text or phone call, this part can be skipped if you have ADFS but a PIN would still be required to set up.
It's correct that Windows Hello is a services that is included in Windows 10 and that it's the cause of the PIN request and MFA promting. But if it's a Windows 10 desktop version 1607 or above that you are Azure AD joining you can actually disable Windows Hello for Business with a setting in Intune.
But for Windows 10 Mobile this setting will not have any affect since it's by design that Windows 10 Mobile devices will bypass this setting when Azure AD joining these devices.
This was true with the Windows 10 desktop 1511 version, the setting didn't have any effect, but with the 1607 version that changed. I've verified this not that long ago.
Thank you! Between you and John Guy, you pieced together why I read reports of this option in Intune to disable PINs was doing nothing. But this makes sense- the newer versions of Win10 fixed that issue.
Thank you both!
As a follow-up, does anyone know if you can disable PIN authentication without Intune? I know we can do it via Local Security Policy, but I am curious of Azure AD itself, without Intune, can centerally manage this setting.
Sorry for my late reply on your last question. No, I havn't seen or heard of a setting for that only in Azure AD itself.