Windows Hello for Business is a secure authentication method that utilizes biometrics (face/fingerprint) or a PIN for user authentication. It replaces passwords with robust two-factor authentication on devices.
Windows Hello for Business (WHfB) is enabled by default when you join a device to Microsoft Entra. However, not all organizations would use this feature and want to disable it altogether.
During the Autopilot out-of-box experience (OOBE), you’ll find a screen related to Windows Hello for Business by default, with a message such as Use Windows Hello with your account or Your organization requires Windows Hello.
In this blog post, we will look into the settings to disable windows hello for business. You can further disable WHfB post provisioning and also delete WHfB registration from the device.
Contents
Methods to Disable/Turn off Windows Hello for Business
Windows Hello for Business settings are available at multiple places on the Intune admin center, making it a bit confusing to choose the right one. Let’s simplify and find the correct options.
During Device Enrollment
- Disable WHfB from Windows Enrollment Settings: Go to Intune admin center > Devices > Enrollment > Click on Windows Hello for Business under Windows tab and set Configure Windows Hello for Business setting to Disabled. This is a tenant-wide policy and targets your entire organization. This setting also supports Autopilot out-of-box experience (OOBE).
After Device Enrollment
After enrolling the device in Intune, WHfB can be disabled for users through various methods. Unlike tenant-wide policies, these policies can be scoped to specific users or devices.
- Device Configuration Profile > Identity Protection.
- Endpoint security > Account Protection (Preview).
- Device Configuration Profile > Settings Catalog.
- Security Baseline Templates.
- Using a Custom OMA-URI.
Which method to use for Disabling WHfB?
To disable WHfB for the entire organization, go to Devices > Enrollment > Click on Windows Hello for Business under Windows tab and set Configure Windows Hello for Business setting to Disabled. Once the policy is applied, users won’t see the WHfB configuration window during the device enrollment process.
Then, disable WHfB using Device Configuration Profile > Identity Protection Template
You can disable WHfB by selecting any After Device Enrollment methods mentioned earlier. I prefer the Identity Protection template or the Endpoint Security > Account Protection method.
In Summary, Disable WHfB using Windows Enrollment at the tenant level and use the Identity Protection template to disable it after device enrollment/post login.
If you want to disable WHfB at tenant level so that users won’t see WHfB screen during OOBE but still want to implement it for specific users or devices, then you can use Device Configuration Profile > Identity Protection template. Enable WHfB instead of Disabling and target it to specific devices.
Once you enable WHfB using the Identity Protection template, users will be prompted to configure WHfB. They will have the option to Skip it, but it will re-appear when users will restart their device and login again. You can disable WHfB post logon provisioning by creating few registry keys. For more Information, refer to the blog post: Disable WHfB Post Logon Provisioning using Intune.
Disable WHfB during device enrollment while still allowing it to be set up for specific users/devices
If you have enabled WHfB and adjusted its settings, such as PIN length and complexity etc., ensure consistency across all WHfB profiles. Using different methods to configure the same WHfB setting on a device may lead to conflicts.
For example, if you set a minimum PIN length of 6 through Windows Enrollment and then use a Device Configuration Profile to set it to 10, applied to the same device, it will result in a conflict.
WHfB settings Conflict
In the upcoming sections of the blog post, we will see both the options discussed earlier, which will disable WHfB altogether. Let’s dive in:
1. Disable WHfB using Windows Enrollment [tenant-wide]
As mentioned, we’ll start by turning off Windows Hello for Business (WHfB) at the tenant level. That means it will disable it for all users and devices in your organization.
- Sign in to the Intune admin center > Devices > Enrollment > Click on Windows Hello for Business under Windows tab and set Configure Windows Hello for Business setting to Disabled.
- Click on Save to save the changes.
It’s important to highlight that even if you choose Disabled from the drop-down menu, you’ll still have access to Windows Hello for Business (WHfB) settings for configuration even though WHfB is disabled. This is possible because you can still enable WHfB from other places in the Intune admin center, as discussed earlier in this blog post.
Note
2. Disable WHfB using Identity Protection Template
- Sign in to the Intune admin center >Devices > Configuration > Create > New Policy.
- Platform: Windows 10 and later
- Profile: Templates
- Template Name: Identity protection
- Basics Tab: Provide a Name and Description of the profile.
- Configuration settings:
- Configure Windows Hello for Business: Disable
- Use security key for sign-in: Not configured
- Assignments: Click Add Groups and select an Entra security group containing users/devices.
- Applicability Rules: You can create rules for assigning this device configuration profile, ensuring it applies only to devices meeting specific criteria, such as OS Edition. If you prefer not to create such a rule, click Next without specifying anything on this page.
- Review + create: Review the device configuration profile settings and click on Create.
Monitoring Deployment Progress
- Sign in to the Intune admin center >Devices > Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End User Experience
After configuring both the tenant-wide setting and a device configuration profile to disable WHfB, users won’t see any WHfB pop-up windows. Additionally, if you check the Settings App on a targeted device, the Sign-in options for Windows Hello will be greyed out.
To further verify WHfB configuration settings, you can use Event viewer as well. Let’s check the steps:
- Press Windows Key + R to open the Run dialog box.
- Type eventvwr and press Enter to open Event viewer.
- Navigate to Application and Services Logs > Microsoft > Windows > User Device Registration > Admin.
- Look for Event ID 360, which is related to WHfB.
FAQS
How to delete Windows Hello for Business Registrations?
If you want to completely remove Windows Hello for Business registrations from a Windows 10 or 11 devices, you can use certutil.exe -deleteHelloContainer command.
For more information, refer to the link: Delete Windows Hello for Business registrations.
Great article
Well done on the article, best I have seen yet.
Question: My intune environment has Windows hello set to not configured. If i toggle it to disabled as demonstrated above, what will happen to end users that may have turned it on during enrollment?
Hello,
Have you ever got an answer on this question ?