Forum Discussion
Disable "Windows Hello"
I am an admin, and attempting to disable "Windows Hello for Business" also referred to as 2-step authentication. From what I gather, this option is set as "disabled" by default. I confirmed this. However Whenever I join a device to Azure AD, it is always prompted with "Windows Hello" and to create a pin. Where can I find the option that allows me to disable this?
Intune > Windows Device enrollment
Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
It can be done if you have Intune licenses.
If you haven't any, I suggest the workaround as followingFirst Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intune-free-trialassigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.comGo to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/windowsEnrollmentClick on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Please be advised to cancel the trial after completing this steps, so you will not be billed in the future.
Note: The Intune portal might change time to time, (design, arrangements )EdmirTaipi I just tried but unfortunally it didnt work either.
So i've tried 3methods
Method 1: Using Group policy settings.
If you are on Windows 10 Pro edition, you can change the group policy settings to disable PIN sign-in option for all users.
Open the Run dialog box by pressing the Windows key and the R key together.
Type GPEDIT.MSC and hit the Enter key.
Go to Computer Configuration -> Administrative Templates -> System -> Logon.
On the right side, double click on Turn on PIN sign-in and select Disabled.
Similarly disable the other Windows Hello options if any.
Exit the Group policy editor and reboot the computer.
Method 2: Disabling Windows Hello in Registry.If setting Group policy doesn’t work, you may disable the sign in options which should disable
Windows Hello options in all user accounts.
Disclaimer: The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on the computer. Windows often reads and updates the information in the registry.
Normally, software programs make registry changes automatically. You should not make unnecessary changes to the registry. Changing registry files incorrectly can cause Windows to stop working or make Windows report the wrong information.
Please take a backup of the registry. Follow the steps given in the link below:
How to back up and restore the registry in Windows
Open the Run dialog box by pressing the Windows key and the R key together.
Type Regedit and hit the Enter key.
When the Registry Editor opens, navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
In the right pane, double click on the DWORD entry named value set it to 0.
Method 3:
First Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intu...assigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.comGo to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/win...Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Intune/MS Endpoint Manager works, but it's another setting you're looking for.
Endpoint Security/Account protection -> Create Policy -> Policy Type: Account protection (Preview)
Here you have the setting "Block Windows Hello for Business". Set it to Enabled and push the policy to your devices and/or users. Worked perfectly for our customers.
Most likely one can find the same setting in a Configuration Profile. The relevant CSP is PassportForWork: https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp
I just want to burn everything that has to do with Windows Hello with a blowtorch.
Why do they do this? When they do **bleep** like this I honestly feel like signing every single microsoft center up to scientology, jehovas witnesses, other various spam packages and see how they like being bombarded with CRAP noone asked for. F*** OFF!
My problem with it is that it's invasive. At no point are you asked if you want to activate it and there's no obvious way to disable it. I could probably disable it if I had the time, but for gods sake. Why force it upon people without asking? It's dirty practices and deserves to be spat on.
- It has to do with safety on the Identity side of things. Identity is the new control plane and those looking to just secure their perimeter are obviously not getting the point of a Cloud Connected world. Windows Hello brings great benefit to user simplicity when it comes to logging on and security through conditional access for instance. I'd be happy to point you to the right articles for a better understanding. Start with this one: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification
- Hi!
I’m pretty sure that Windows Hello for Business is enabled by default.
Anyway, the following article describes how to manage it, and also disable the feature.
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organization
When that’s said, I would also challenge you to try getting it to work, as it does improve user experience and security if done correctly :)
Best regards
Anders EideI have hundreds of terminals affected by this forcefully spread "Hello Business" malware.
MS installs its malware indiscriminately.
"User Experience" is rather miserable as a result.
This malware keeps trying to install and fail. - This disrupts the whole operation.
Need a simple way to disable this malware in the non-domain environment with a script or a reg hack.The use case MSFT failed to test was a shared computer. Having this forced on users of a shared computer is untenable. This should have been optional, not forced on user and Admins - Anders Eide
- This feature reduces security. The number of my users that forget their password because they never enter it is a security nightmare. They end up writing down their passwords! If they had to enter them often they'd remember.
