Disable Windows Hello for Business using Intune

Windows Hello for Business is a secure authentication method that utilizes biometrics (face/fingerprint) or a PIN for user authentication. It replaces passwords with robust two-factor authentication on devices.

Windows Hello for Business (WHfB) is enabled by default when you join a device to Microsoft Entra. However, not all organizations would use this feature and want to disable it altogether.

During the Autopilot out-of-box experience (OOBE), you’ll find a screen related to Windows Hello for Business by default, with a message such as Use Windows Hello with your account or Your organization requires Windows Hello.

In addition to that, you will see below Information on the WHfB screen:

Your organization requires you to set up your work or school account with Windows Hello Face, Fingerprint, or PIN. If you have already set up Windows Hello on this device, we’ll automatically add it for this account. You may be asked to re-verify with Windows Hello. If your organization requires a more complex PIN, Windows will prompt you to change it.

Use Windows Hello with your account

This blog post will delve into the steps to fully disable it, confirming that users won’t see the below screen during OOBE and even after logging in. I’ve covered other aspects of WHfB disablement in related blog posts. Feel free to check them out for additional assistance.

Disable WHfB Post Logon Provisioning using Intune

Intune: Delete Windows Hello for Business registrations

More Helpful Guides on WHfB

Methods to Disable/Turn off Windows Hello for Business

Windows Hello for Business settings are available at multiple places on the Intune admin center, making it a bit confusing to choose the right one. Let’s simplify and find the correct options.

During Device Enrollment

• Disable WHfB using Windows Enrollment Settings– You can disable WHfB during device enrollment using Windows Enrollment settings by Navigating to Devices > Enroll devices > Windows Enrollment. This is a tenant-wide policy and targets your entire organization. This setting also supports Autopilot out-of-box experience (OOBE).

After Device Enrollment

After enrolling the device in Intune, WHfB can be disabled for users through various methods. Unlike tenant-wide policies, these policies can be scoped to specific users or devices.

1. Device Configuration Profile > Identity Protection.
2. Endpoint security > Account Protection (Preview).
3. Device Configuration Profile > Settings Catalog.
4. Security Baseline Templates.
5. Using a Custom OMA-URI.

Which method to use for Disabling WHfB?

To disable WHfB for the entire organization, go to Devices > Enroll devices > Windows Enrollment and set Configure Windows Hello for Business to Disabled. Once the policy is applied, users won’t see the WHfB configuration window during the device enrollment process.

Disable WHfB using a Device configuration profile by going to Device Configuration Profile > Identity Protection.

You can disable WHfB by selecting any After Device Enrollment methods mentioned earlier. I prefer the Identity Protection template or the Endpoint Security > Account Protection method.

In Summary, Disable WHfB using Windows Enrollment at the tenant level and use the Identity Protection template to disable it after device enrollment/post login.

If you want to Disable WHfB at tenant level so that users won’t see WHfB screen during OOBE but still want to Implement it for specific users or devices then you can use Device Configuration Profile > Identity Protection template, Enable WHfB instead of Disabling and target it to specific devices.

Once you enable WHfB using the Identity Protection template, users will be prompted to configure WHfB. They will have the option to Skip it but it will re-appear when users will restart their device and login again. You can disable WHfB post logon provisioning by creating few registry keys. For more Information, refer to the blog post: Disable WHfB Post Logon Provisioning using Intune.

Disable WHfB during device enrollment while still allowing it to be set up for specific users/devices

If you have enabled WHfB and adjusted its settings, such as PIN length and complexity, ensure consistency across all WHfB profiles. Using different methods to configure the same WHfB setting on a device may lead to conflicts.

For instance, if you set a minimum PIN length of 6 through Windows Enrollment and then use a Device Configuration Profile to set it to 10, applied to the same device, it will result in a conflict.

WHfB settings Conflict [Only when you have choose to Enable WHfB]

In the upcoming sections of the blog post, we will see both the options discussed earlier which will disable WHfB altogether. Let’s dive in:

1. Disable WHfB using Windows Enrollment [tenant-wide]

As mentioned, we’ll start by turning off Windows Hello for Business (WHfB) at the tenant level. That means it will disable it for all users and devices in your organization.

Let’s check the steps:

• Sign in to the Intune admin center.
• Go to Devices > Enroll devices > Windows Enrollment.
• Click on Windows Hello for Business.

• Use the Configure Windows Hello for Business option drop-down and select Disabled.
• Click on Save to save the changes.

It’s important to highlight that even if you choose Disabled from the drop-down menu, you’ll still have access to Windows Hello for Business (WHfB) settings for configuration even though WHfB is disabled. This is possible because you can still enable WHfB from other places in the Intune admin center, as discussed earlier in this blog post.

Note

2. Disable WHfB using Identity Protection Template

We will also disable WHfB using the Identity Protection template of Device configuration profile. Let’s check the steps:

• Sign in to the Intune admin center.
• Go to Devices > Configuration.
• Click on Create > New Policy.

• Platform: Windows 10 and later
• Profile: Templates
• Template Name: Identity protection

Basics Tab

Provide a Name and Description of the profile. For example:

• Name: Disable Windows Hello for Business
• Description: This Device configuration profile will disable Windows Hello for Business on targeted devices/users.

Configuration settings

Adjust the settings on the Configuration settings tab as follows and click on Next.

• Configure Windows Hello for Business: Disable
• Use security key for sign-in: Not configured

Assignments

Click Add Groups and select an Entra security group containing users or devices. I prefer to target it to the devices for a more controlled deployment.

Applicability Rules

You can create rules for assigning this device configuration profile, ensuring it applies only to devices meeting specific criteria, such as OS Edition. If you prefer not to create such a rule, click Next without specifying anything on this page.

Review + create

Review the device configuration profile settings and click on Create.

Monitoring

To monitor the deployment progress of a Device configuration profile, follow below steps:

• Sign in to the Intune admin center.
• Click on “Devices” and then select Configuration.
• Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
• Click on View report to access more detailed information.

End-user Experience

After configuring both the tenant-wide setting and a device configuration profile to disable WHfB, users won’t see any WHfB pop-up windows. Additionally, if you check the Settings App on a targeted device, the Sign-in options for Windows Hello will be greyed out.

To further verify WHfB configuration settings, you can use Event viewer as well. Let’s check the steps:

• Press Windows Key + R to open the Run dialog box.
• Type eventvwr and press Enter to open Event viewer.
• Navigate to Application and Services Logs > Microsoft > Windows > User Device Registration > Admin.
• Look for Event ID 360, which is related to WHfB.

FAQS