Home

Disable "Windows Hello"

%3CLINGO-SUB%20id%3D%22lingo-sub-143151%22%20slang%3D%22en-US%22%3EDisable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143151%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20am%20an%20admin%2C%20and%20attempting%20to%20disable%20%22Windows%20Hello%20for%20Business%22%20also%20referred%20to%20as%202-step%20authentication.%20From%20what%20I%20gather%2C%20this%20option%20is%20set%20as%20%22disabled%22%20by%20default.%20I%20confirmed%20this.%20However%20Whenever%20I%20join%20a%20device%20to%20Azure%20AD%2C%20it%20is%20always%20prompted%20with%20%22Windows%20Hello%22%20and%20to%20create%20a%20pin.%20Where%20can%20I%20find%20the%20option%20that%20allows%20me%20to%20disable%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-143151%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Hello%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391729%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74103%22%20target%3D%22_blank%22%3E%40Anders%20Eide%3C%2FA%3E%26nbsp%3BTo%20add%20to%20the%20SMB%20issue%2C%20PC's%20setup%20with%20Windows%20Hello%20during%20Windows%20setup%20complain%20that%20they%20have%20no%20local%20administrator%20account%20during%20recovery%20-%20meaning%20they%20can't%20be%20recovered.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20idea%20is%20solid%2C%20but%20as%20with%20virtually%20all%20of%20the%20recent%20365%20'improvements'%20turned%20on%20by%20default%20(clutter%2C%20focussed%20inbox%20etc)%20they're%20being%20foisted%20on%20users%20that%20don't%20need%20them%2C%20they%20are%20tricky%20if%20not%20impossible%20to%20remove%2C%20and%20just%20generate%20support%20issues%20needlessly.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-366788%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366788%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20disable%20Windows%20Hello%20from%20Windows%20Enrollment%20in%20Intune%2C%20but%20you%20cant%20disable%20PIN%20after%20enrollment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20suggested%20this%20to%20be%20fixed%2C%20and%20please%20vote%20for%20my%20suggestion%20at%20Microsoft%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F37093513-disable-windows-hello-on-windows-devices-after-int%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F37093513-disable-windows-hello-on-windows-devices-after-int%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357088%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357088%22%20slang%3D%22en-US%22%3EI%20don't%20believe%20that.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292598%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292598%22%20slang%3D%22en-US%22%3ESeems%20to%20me%20to%20be%20more%20of%20a%20Policy%20like%20setting%20on%20the%20NAS%2C%20which%20type%20of%20NAS%20do%20you%20use%3F%20Also%3A%20Windows%20Hello%20is%20the%20way%20forward%20into%20password-less%20sign%20ons.%20So%20keeping%20users%20secure%2C%20while%20keeping%20it%20simple%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199528%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199528%22%20slang%3D%22en-US%22%3E%3CP%3Eusers%20signing%20on%20with%20a%20PIN%20are%20blocked%20from%20accessing%20local%20SMB%20shares%20like%20on%20NAS%20devices%20with%20simple%20username%2Fpassword%20logins%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Euntil%20MS%20fix%20this%20problem%2C%20Windows%20Hello%20has%20to%20be%20disabled%20if%20you%20use%20local%20file%20storage%20in%20this%20way%20(we%20use%20a%20NAS%20for%20backing%20up%20local%20systems)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144348%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144348%22%20slang%3D%22en-US%22%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3EI%E2%80%99m%20pretty%20sure%20that%20Windows%20Hello%20for%20Business%20is%20enabled%20by%20default.%3CBR%20%2F%3E%3CBR%20%2F%3EAnyway%2C%20the%20following%20article%20describes%20how%20to%20manage%20it%2C%20and%20also%20disable%20the%20feature.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Faccess-protection%2Fhello-for-business%2Fhello-manage-in-organization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Faccess-protection%2Fhello-for-business%2Fhello-manage-in-organization%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20that%E2%80%99s%20said%2C%20I%20would%20also%20challenge%20you%20to%20try%20getting%20it%20to%20work%2C%20as%20it%20does%20improve%20user%20experience%20and%20security%20if%20done%20correctly%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%20%3CBR%20%2F%3EAnders%20Eide%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096689%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096689%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151959%22%20target%3D%22_blank%22%3E%40James%20King%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20strongly%20recomend%20disabling%20it%20for%20now.%20But%20it%20is%20possible%20to%20use%20hello%20and%20a%20local%20nas%20but%20not%20recomended...%20you%20need%20to%20change%20login%20alternative%20and%20choose%20other%20user%20and%20log%20in%20by%20that%20was%20but%20it%20is%20much%20more%20inconvinient%20than%20just%20not%20using%20Hello.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1123690%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1123690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151959%22%20target%3D%22_blank%22%3E%40James%20King%3C%2FA%3E%26nbsp%3BThis%20is%20definitely%20still%20happening.%20Any%20network%20drive%20will%20not%20be%20able%20to%20be%20accessed%20if%20using%20Windows%20Hello.%20It%20will%20say%20%22A%20specified%20logon%20session%20does%20not%20exist.%20It%20may%20have%20already%20been%20terminated.%22%3C%2FP%3E%3CP%3E*%20I%20have%20tried%20just%20about%20everything%20on%20the%20the%20forums%20regarding%20Groupedit%2C%20Advanced%20Network%20Permissions%20%26amp%3B%20Settings%20to%20no%20avail.%20I%20run%20IT%20for%20office%20with%2010%2B%20users%20accessing%20a%20server.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096709%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20%22Windows%20Hello%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096709%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F510522%22%20target%3D%22_blank%22%3E%40ErikROsberg%3C%2FA%3E%26nbsp%3BThere%20is%20no%20need%20for%20extra%20local%20accounts%20if%20you%20use%20a%20NAS.%20Just%20make%20a%20network%20connection%20to%20your%20NAS%20and%20save%20it%20as%20you%20connect.%20That%20way%20the%20credentials%20will%20be%20stored%20in%20the%20Windows%20Credential%20Manager%20(press%20%22start%22%20and%20type%20%22credential%20manager%22%20to%20launch%20it).%20You%20can%20then%20easily%20logon%20to%20windows%20using%20Windows%20Hello%20and%20the%20link%20to%20your%20NAS%20will%20just%20work%20on%20the%20basis%20of%20your%20stored%20password.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Joshua Dolecal
New Contributor

I am an admin, and attempting to disable "Windows Hello for Business" also referred to as 2-step authentication. From what I gather, this option is set as "disabled" by default. I confirmed this. However Whenever I join a device to Azure AD, it is always prompted with "Windows Hello" and to create a pin. Where can I find the option that allows me to disable this?

10 Replies
Highlighted
Hi!

I’m pretty sure that Windows Hello for Business is enabled by default.

Anyway, the following article describes how to manage it, and also disable the feature.
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organi...

When that’s said, I would also challenge you to try getting it to work, as it does improve user experience and security if done correctly :)

Best regards
Anders Eide

users signing on with a PIN are blocked from accessing local SMB shares like on NAS devices with simple username/password logins

 

until MS fix this problem, Windows Hello has to be disabled if you use local file storage in this way (we use a NAS for backing up local systems)

Highlighted
Seems to me to be more of a Policy like setting on the NAS, which type of NAS do you use? Also: Windows Hello is the way forward into password-less sign ons. So keeping users secure, while keeping it simple ;)
Highlighted
I don't believe that.
Highlighted

You can disable Windows Hello from Windows Enrollment in Intune, but you cant disable PIN after enrollment.

 

I have suggested this to be fixed, and please vote for my suggestion at Microsoft

 

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37093513-disable-windows-hello...

 

Highlighted

@Anders Eide To add to the SMB issue, PC's setup with Windows Hello during Windows setup complain that they have no local administrator account during recovery - meaning they can't be recovered.

 

The idea is solid, but as with virtually all of the recent 365 'improvements' turned on by default (clutter, focussed inbox etc) they're being foisted on users that don't need them, they are tricky if not impossible to remove, and just generate support issues needlessly. 

Highlighted

@James King 

I also strongly recomend disabling it for now. But it is possible to use hello and a local nas although it is  not recomended... you need to change login alternative and choose other user and log in by that was but it is much more inconvinient than just not using Hello.

Highlighted

@ErikROsberg There is no need for extra local accounts if you use a NAS. Just make a network connection to your NAS and save it as you connect. That way the credentials will be stored in the Windows Credential Manager (press "start" and type "credential manager" to launch it). You can then easily logon to windows using Windows Hello and the link to your NAS will just work on the basis of your stored password.

Highlighted

@James King This is definitely still happening. Any network drive will not be able to be accessed if using Windows Hello. It will say "A specified logon session does not exist. It may have already been terminated."

* I have tried just about everything on the the forums regarding Groupedit, Advanced Network Permissions & Settings to no avail.

 

I run IT for office with 10+ users accessing a server.

Highlighted

@Joshua Dolecal 

It can be done if you have Intune licenses.
If you haven't any, I suggest the workaround as following

First Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intu... 

assigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.com 

Go to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/win... 

Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply

Please be advised to cancel the trial after completing this steps, so you will not be billed in the future.
Note: The Intune portal might change time to time, (design, arrangements )