Jan 09 2018 09:46 AM
I am an admin, and attempting to disable "Windows Hello for Business" also referred to as 2-step authentication. From what I gather, this option is set as "disabled" by default. I confirmed this. However Whenever I join a device to Azure AD, it is always prompted with "Windows Hello" and to create a pin. Where can I find the option that allows me to disable this?
Jan 11 2018 12:54 PM
May 31 2018 04:17 AM
users signing on with a PIN are blocked from accessing local SMB shares like on NAS devices with simple username/password logins
until MS fix this problem, Windows Hello has to be disabled if you use local file storage in this way (we use a NAS for backing up local systems)
Nov 29 2018 01:18 AM
Mar 13 2019 06:16 AM
You can disable Windows Hello from Windows Enrollment in Intune, but you cant disable PIN after enrollment.
I have suggested this to be fixed, and please vote for my suggestion at Microsoft
Apr 01 2019 03:17 AM
@Anders Eide To add to the SMB issue, PC's setup with Windows Hello during Windows setup complain that they have no local administrator account during recovery - meaning they can't be recovered.
The idea is solid, but as with virtually all of the recent 365 'improvements' turned on by default (clutter, focussed inbox etc) they're being foisted on users that don't need them, they are tricky if not impossible to remove, and just generate support issues needlessly.
Jan 08 2020 06:56 AM - edited Jan 08 2020 06:58 AM
I also strongly recomend disabling it for now. But it is possible to use hello and a local nas although it is not recomended... you need to change login alternative and choose other user and log in by that was but it is much more inconvinient than just not using Hello.
Jan 08 2020 07:03 AM
@ErikROsberg There is no need for extra local accounts if you use a NAS. Just make a network connection to your NAS and save it as you connect. That way the credentials will be stored in the Windows Credential Manager (press "start" and type "credential manager" to launch it). You can then easily logon to windows using Windows Hello and the link to your NAS will just work on the basis of your stored password.
Jan 22 2020 12:42 PM - edited Jan 22 2020 12:44 PM
@James King This is definitely still happening. Any network drive will not be able to be accessed if using Windows Hello. It will say "A specified logon session does not exist. It may have already been terminated."
* I have tried just about everything on the the forums regarding Groupedit, Advanced Network Permissions & Settings to no avail.
I run IT for office with 10+ users accessing a server.
Feb 07 2020 10:27 AM
It can be done if you have Intune licenses.
If you haven't any, I suggest the workaround as following
First Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intu...
assigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.com
Go to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/win...
Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Please be advised to cancel the trial after completing this steps, so you will not be billed in the future.
Note: The Intune portal might change time to time, (design, arrangements )
May 31 2020 11:35 AM - edited May 31 2020 11:50 AM
I just want to burn everything that has to do with Windows Hello with a blowtorch.
Why do they do this? When they do **bleep** like this I honestly feel like signing every single microsoft center up to scientology, jehovas witnesses, other various spam packages and see how they like being bombarded with CRAP noone asked for. F*** OFF!
My problem with it is that it's invasive. At no point are you asked if you want to activate it and there's no obvious way to disable it. I could probably disable it if I had the time, but for gods sake. Why force it upon people without asking? It's dirty practices and deserves to be spat on.
Jun 08 2020 04:21 PM
@James King
You are absolutely correct. Same deal, a NAS is blocked for the only user of 3 AD-Joined systems who uses the Hello PIN. When that single user logs in w/ regular password, NAS access is fine.
Jun 09 2020 03:38 AM
@new2you2020do they then logon to On-Premise Active Directory for gaining access to the NAS? Or do they use a user/pass as defined on the NAS?
Jun 09 2020 03:40 AM
Jun 10 2020 06:55 AM - edited Jun 10 2020 06:56 AM
@Thierry Vos
They use their AzureAD joined email address & password to connect to the NAS share (which was shared for Public/Everyone on the NAS side). Tell user to choose the "Key" icon at login (Other logon options) and use those creds, and they're all fine.
Tried hacking the Registry for the Hello PIN, since MS disables your ability to change it when AzureAD joined...unless you pay for a certain Tier (or Add-on) within Azure itself. No go...Registry hack didn't help. So if you created/chose the option to use a Hello PIN when joining the workstation to Azure, you're stuck w/ the OPTION.
This is Azure's habit, you pay for this, you pay for that, you subscribe for this, you subscribe for that, for more of that, for ability to do that, etc.. It's not my preference, over a local Domain w/ local Domain AD joined computers being the standard and long term (long term) cost savings.
Jun 18 2020 02:19 AM
Jul 02 2020 03:59 AM
@EdmirTaipi I just tried but unfortunally it didnt work either.
So i've tried 3methods
Method 1: Using Group policy settings.
If you are on Windows 10 Pro edition, you can change the group policy settings to disable PIN sign-in option for all users.
Open the Run dialog box by pressing the Windows key and the R key together.
Type GPEDIT.MSC and hit the Enter key.
Go to Computer Configuration -> Administrative Templates -> System -> Logon.
On the right side, double click on Turn on PIN sign-in and select Disabled.
Similarly disable the other Windows Hello options if any.
Exit the Group policy editor and reboot the computer.
Method 2: Disabling Windows Hello in Registry.
If setting Group policy doesn’t work, you may disable the sign in options which should disable
Windows Hello options in all user accounts.
Disclaimer: The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on the computer. Windows often reads and updates the information in the registry.
Normally, software programs make registry changes automatically. You should not make unnecessary changes to the registry. Changing registry files incorrectly can cause Windows to stop working or make Windows report the wrong information.
Please take a backup of the registry. Follow the steps given in the link below:
How to back up and restore the registry in Windows
Open the Run dialog box by pressing the Windows key and the R key together.
Type Regedit and hit the Enter key.
When the Registry Editor opens, navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
In the right pane, double click on the DWORD entry named value set it to 0.
Method 3:
First Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intu...
assigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.com
Go to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/win...
Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Jul 07 2020 06:25 PM
@RyanRoe I feel your pain! I have exactly the same issue. I've tried everything I can think of and I can find on the interwebs including multiple points in the network connection chain...with two separate computers (one a laptop and one a desktop). I had the network all talking nicely to each other as well as the NAS drive for awhile but then I made the mistake of a WIndows 10 update. Still trying to recover...
As an aside to previous comments on the subject, Synology (one of the two main NAS drive manufacturers) told me via a technical support enquiry that they do not support Windows Hello installations. I generated this enquiry while trying to attach a brand new DiskStation NAS (26 June 2020) to my network.
I told you I've tried every point in the network connectivity chain...