Microsoft Intune

Copper Contributor

I'm looking to use Intune for the first time for a client.  From what I've discovered, it appears that using Intune asks the users to setup a PIN to sign into their Azure AD-joined computer.  How can I prevent the use of a PIN to log into the machine and for password authentication?

 

I believe the use of a PIN also involves 2FA using their mobile phone number, but I'd prefer to require password authentication.

 

If I'm off base, please correct my understanding.

 

Thank you!

 

Kevin Frye

9 Replies
What type of devices are in your use case? And do you have AD FS?
In this case we are just concerned with Windows 10 computers. They will ultimately be Azure AD joined and without a local domain controller.

I think the PIN element is part of Windows Hello for Business. I am not aware of a way to remove this if they are AD Joined.

 

When creating a PIN it may prompt to verify identity with a text or phone call, this part can be skipped if you have ADFS but a PIN would still be required to set up.

It's correct that Windows Hello is a services that is included in Windows 10 and that it's the cause of the PIN request and MFA promting. But if it's a Windows 10 desktop version 1607 or above that you are Azure AD joining you can actually disable Windows Hello for Business with a setting in Intune.

https://docs.microsoft.com/en-us/intune-classic/deploy-use/control-microsoft-passport-settings-on-de...

 

But for Windows 10 Mobile this setting will not have any affect since it's by design that Windows 10 Mobile devices will bypass this setting when Azure AD joining these devices.

Btw. This is also true even if you don't use ADFS.
I have tested removing the requirement for a PIN Code from a windows 10 device (desktop/tablet) but still prompted for a PIN even though Windows Hello was disabled.

This is what happened in our case so had to keep the PIN feature, this may well have changed after updates now.
best response confirmed by Kevin Frye (Copper Contributor)
Solution

This was true with the Windows 10 desktop 1511 version, the setting didn't have any effect, but with the 1607 version that changed. I've verified this not that long ago.

Thank you!  Between you and John Guy, you pieced together why I read reports of this option in Intune to disable PINs was doing nothing.  But this makes sense- the newer versions of Win10 fixed that issue.

 

Thank you both!

 

As a follow-up, does anyone know if you can disable PIN authentication without Intune?  I know we can do it via Local Security Policy, but I am curious of Azure AD itself, without Intune, can centerally manage this setting.

 

Thanks again!

Sorry for my late reply on your last question. No, I havn't seen or heard of a setting for that only in Azure AD itself. 

1 best response

Accepted Solutions
best response confirmed by Kevin Frye (Copper Contributor)
Solution

This was true with the Windows 10 desktop 1511 version, the setting didn't have any effect, but with the 1607 version that changed. I've verified this not that long ago.

View solution in original post