ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Disable Windows PIN Azure AD Joined PCs

    IT Discussion
    windows hello windows pin azure ad
    4
    8
    17.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NashBrydgesN
      NashBrydges
      last edited by

      I am setting up a few PCs for a client and want to disable the Windows Hello For Business option of using the PIN at login. I've disabled this in both User and Computer local group policy (since there's no way to do this via Azure unless you are using the full Intune subscription which they aren't). Once I disable this in local GP, I reboot PC and I'm still presented with the PIN as the default login option. I can click on the sign-in options to select password but I don't even want the PIN option to appear. Anyone have an idea how I can disable this completely? This is what I followed to disable.

      https://docs.microsoft.com/en-gb/windows/security/identity-protection/hello-for-business/hello-manage-in-organization

      All are running Windows 10 Pro and connected to Azure AD. They have an Office 365 Business Premium subscription.

      travisdh1T 1 Reply Last reply Reply Quote 0
      • travisdh1T
        travisdh1 @NashBrydges
        last edited by

        @NashBrydges That looks like it only disables provisioning of pins to me, not disabling any existing pin.

        NashBrydgesN 1 Reply Last reply Reply Quote 0
        • NashBrydgesN
          NashBrydges @travisdh1
          last edited by

          @travisdh1 said in Disable Windows PIN Azure AD Joined PCs:

          @NashBrydges That looks like it only disables provisioning of pins to me, not disabling any existing pin.

          Yeah, I'm guessing that's the case. My google-fu is failing me on finding a true disable solution. Back to search I go.

          1 Reply Last reply Reply Quote 0
          • black3dynamiteB
            black3dynamite
            last edited by

            Not sure if we are allowed to post Spiceworks url here anymore but this came from user called SauceOverflow.

            There is one registry key you can set and you also need to delete a file. Disabling Windows Hello does not disable an existing PIN.

            1. Remove existing PIN
              Delete the following folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\

            2. Disable Windows Hello (disables PIN, Face, whatever sigin prompt and setup)
              [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork] "Enabled"=dword:00000000

            NashBrydgesN 1 Reply Last reply Reply Quote 0
            • black3dynamiteB
              black3dynamite
              last edited by black3dynamite

              If available, use Microsoft Intune.
              https://docs.microsoft.com/en-us/intune/windows-hello

              1 Reply Last reply Reply Quote 0
              • NashBrydgesN
                NashBrydges @black3dynamite
                last edited by

                @black3dynamite said in Disable Windows PIN Azure AD Joined PCs:

                Not sure if we are allowed to post Spiceworks url here anymore but this came from user called SauceOverflow.

                There is one registry key you can set and you also need to delete a file. Disabling Windows Hello does not disable an existing PIN.

                1. Remove existing PIN
                  Delete the following folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\

                2. Disable Windows Hello (disables PIN, Face, whatever sigin prompt and setup)
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork] "Enabled"=dword:00000000

                Awesome. Will give this a try!

                M 1 Reply Last reply Reply Quote 0
                • M
                  MichiganBB @NashBrydges
                  last edited by

                  @nashbrydges Could you PLEASE PLEASE follow-up on this post?
                  Nothing more frustrating than spending hours following dead posts like this one where
                  Somebody asks the same question you had, people try to help and you don;t ever come back to
                  report on your results and if it worked or not.

                  What did you do?
                  Where are you at with it now?

                  I found that NGC is not removable, and when booting offline the directory does not exist so I can't delete it that way either.
                  It seems to be recreated on startup and is locked hard from removing.

                  I simply want users to only have a password login option and I do not want to pay for intune spend a week in training for it to manage only three computers, and remove this annoying feature.

                  NashBrydgesN 1 Reply Last reply Reply Quote 0
                  • NashBrydgesN
                    NashBrydges @MichiganBB
                    last edited by

                    @michiganbb So you thought that necro-posting and whining about a 3yo post would be useful? Give it a try and see if that fixes your issue. You would have to do this anyway. Even if something works for one, doesn't mean there's a guarantee it works for you,. Backup the PC and try the changes. If they don't work...move on to something else.

                    There was NO resolution here. Client was one of those who was difficult getting payment from so we terminated the relationship before we did anything else.

                    1 Reply Last reply Reply Quote 1
                    • 1 / 1
                    • First post
                      Last post