Forum Discussion
Disable "Windows Hello"
I am an admin, and attempting to disable "Windows Hello for Business" also referred to as 2-step authentication. From what I gather, this option is set as "disabled" by default. I confirmed this. However Whenever I join a device to Azure AD, it is always prompted with "Windows Hello" and to create a pin. Where can I find the option that allows me to disable this?
- Hi!
I’m pretty sure that Windows Hello for Business is enabled by default.
Anyway, the following article describes how to manage it, and also disable the feature.
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organization
When that’s said, I would also challenge you to try getting it to work, as it does improve user experience and security if done correctly :)
Best regards
Anders Eideusers signing on with a PIN are blocked from accessing local SMB shares like on NAS devices with simple username/password logins
until MS fix this problem, Windows Hello has to be disabled if you use local file storage in this way (we use a NAS for backing up local systems)
- Seems to me to be more of a Policy like setting on the NAS, which type of NAS do you use? Also: Windows Hello is the way forward into password-less sign ons. So keeping users secure, while keeping it simple ;-)
Anders Eide To add to the SMB issue, PC's setup with Windows Hello during Windows setup complain that they have no local administrator account during recovery - meaning they can't be recovered.
The idea is solid, but as with virtually all of the recent 365 'improvements' turned on by default (clutter, focussed inbox etc) they're being foisted on users that don't need them, they are tricky if not impossible to remove, and just generate support issues needlessly.
- Unless you have setup something incorrectly with Intune or another MDM provider, the first user to logon to a system will be given Admin permissions. The Local Admin account has been disabled by default since Windows Vista.
- This feature reduces security. The number of my users that forget their password because they never enter it is a security nightmare. They end up writing down their passwords! If they had to enter them often they'd remember.
It can be done if you have Intune licenses.
If you haven't any, I suggest the workaround as followingFirst Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intune-free-trialassigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.comGo to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/windowsEnrollmentClick on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Please be advised to cancel the trial after completing this steps, so you will not be billed in the future.
Note: The Intune portal might change time to time, (design, arrangements )I just want to burn everything that has to do with Windows Hello with a blowtorch.
Why do they do this? When they do **bleep** like this I honestly feel like signing every single microsoft center up to scientology, jehovas witnesses, other various spam packages and see how they like being bombarded with CRAP noone asked for. F*** OFF!
My problem with it is that it's invasive. At no point are you asked if you want to activate it and there's no obvious way to disable it. I could probably disable it if I had the time, but for gods sake. Why force it upon people without asking? It's dirty practices and deserves to be spat on.
- I agree!
EdmirTaipi I just tried but unfortunally it didnt work either.
So i've tried 3methods
Method 1: Using Group policy settings.
If you are on Windows 10 Pro edition, you can change the group policy settings to disable PIN sign-in option for all users.
Open the Run dialog box by pressing the Windows key and the R key together.
Type GPEDIT.MSC and hit the Enter key.
Go to Computer Configuration -> Administrative Templates -> System -> Logon.
On the right side, double click on Turn on PIN sign-in and select Disabled.
Similarly disable the other Windows Hello options if any.
Exit the Group policy editor and reboot the computer.
Method 2: Disabling Windows Hello in Registry.If setting Group policy doesn’t work, you may disable the sign in options which should disable
Windows Hello options in all user accounts.
Disclaimer: The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on the computer. Windows often reads and updates the information in the registry.
Normally, software programs make registry changes automatically. You should not make unnecessary changes to the registry. Changing registry files incorrectly can cause Windows to stop working or make Windows report the wrong information.
Please take a backup of the registry. Follow the steps given in the link below:
How to back up and restore the registry in Windows
Open the Run dialog box by pressing the Windows key and the R key together.
Type Regedit and hit the Enter key.
When the Registry Editor opens, navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
In the right pane, double click on the DWORD entry named value set it to 0.
Method 3:
First Setup a Intune trial
https://docs.microsoft.com/en-us/intune/fundamentals/free-trial-sign-up#sign-up-for-a-microsoft-intu...assigning one license to a random user, so we gain access to the Intune portal
https://devicemanagement.microsoft.comGo to Devices > Windows > Windows Device enrollment
https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/win...Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
Intune/MS Endpoint Manager works, but it's another setting you're looking for.
Endpoint Security/Account protection -> Create Policy -> Policy Type: Account protection (Preview)
Here you have the setting "Block Windows Hello for Business". Set it to Enabled and push the policy to your devices and/or users. Worked perfectly for our customers.
Most likely one can find the same setting in a Configuration Profile. The relevant CSP is PassportForWork: https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp
Intune > Windows Device enrollment
Click on Windows Hello for Business and at the bottom, at the "Configure Windows Hello for Business" select Disable, Apply
