Remove Windows Hello after disabling in Intune

Enabling Windows Hello for Business in Intune is quite easy as the Microsoft Docs are very complete and straightforward. However, if you change your mind and want to disable Windows Hello for Business afterward, there’s no documentation at all. Simply putting the slider “Configure Windows Hello for Business” to OFF is not the solution. It will disable Windows Hello on new devices, but already enrolled devices will keep the PIN-based authentication method configured.

A potential solution would be to delete the current Windows Hello for Business configuration on the device. The command (in user context) is

certutil /deletehellocontainer

However, this only resets the current database. Once you log out and log on, the setup wizard for Hello for Business pops up. You are forced to enter a PIN. No escape to skip this.

So, how to disable Windows Hello for Business completely on a device that was already set up to use WHfB? Below I have described how I disabled Windows Hello for my clients. If you have any questions afterward, feel free to leave any comment and I’ll be happy to respond.

How to disable Windows Hello for Business on Intune managed devices

As far as my experience is, you should perform 4 steps to disable Windows Hello for Business on already Intune-enrolled devices:

  • Intune: disable Windows Hello for Business in Windows Enrollment
  • Intune: disable Windows Hello for Business in Endpoint Security
  • Local computer: configure Group Policy setting Use Windows Hello for Business to Disabled
  • Local computer: configure Group Policy setting Turn on convenience PIN sign-in to Disabled

I’ve written these steps in more detail below.

Intune: disable Windows Hello for Business in Windows Enrollment

The Hello for Business setting in Enrollment is a tenant-wide setting. It applies to the OOBE (Out of the Box) setup when you configure your device for first the time. If you have enabled WfB here, users will be prompted with the WHfB wizard. You’ll need to disable this option if you haven’t already.

Navigate to this option from Microsoft Endpoint Manager admin center -> Devices -> Enroll Devices -> Windows Hello for Business

Windows Hello for Business enrollment

Intune: disable Windows Hello for Business in Endpoint Security

In Endpoint SecurityAccount Protection, you are able to configure Hello for Business for a group of specific users. This is very useful when you are starting a pilot.

Because I have turned off Windows Hello for Business at enrollment, I need to set the Block Windows Hello for Business to Disabled in Account Protection. (Note the double denial. Just to make it easier to get confused :-) ). If you want to disable PIN logon for a specific user, you either need to

  • remove the user from the Included groups, or
  • add the user to the Excluded Groups, or
  • Enable the Block Windows Hello for Business (this then applies to all users in the Included Groups)

Here’s how the setting looks like in Endpoint Security:

Account Protection hello for business

Local computer: configure Group Policy setting Use Windows Hello for Business to Disabled

In the local group policy of the computer, navigate to In the local group policy of the computer, navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business

Set Use Windows Hello for Business to Disabled

Windows Hello for Business to Disabled

Local computer: configure Group Policy setting Turn on convenience PIN sign-in to Disabled

In the local group policy of the computer, navigate to Computer Configuration -> Administrative Templates -> System -> Logon

Set Turn on convenience PIN sign-in to Disabled

Turn on convenience PIN sign-in to Disabled

Test your configuration

Once you have configured Windows Hello for Business as described above, run certutil /deletehellocontainer on the device in user context, log off and log on. You should now be prompted to enter the password. There will be no option to enter a PIN.

If this article did not help you solve your problem, please leave a comment! This website is visited thousands of times a day. There is a good chance that I or someone else has an answer to your question.

In addition, if you have a better solution for this problem, please leave a comment too! It may help me improve this article, as well as you may help other users facing this issue.

5 1 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Steve

Thanks for the info.
We are using Azure AD with Endpoint Security. I want the office computers to have NO PIN. But all of the shared computers in shipping and the production floor to have PIN only.
I keep trying things but can’t get it to work. Any suggestions?

1
0
Would love your thoughts, please comment.x
()
x