Windows Hello for Business is a secure authentication method utilizing biometrics (face/fingerprint) or a PIN for user authentication. Windows Hello for Business replaces passwords with robust two-factor authentication on devices.
When you join a device to Microsoft Entra, Windows Hello for Business (WHfB) is enabled by default. However, not all organizations would use this feature and want to disable it completely.
During Autopilot out-of-box experience (OOBE), by default, you’ll find a screen related to Windows Hello for Business with a message such as “Use Windows Hello with your account” or “Your organization requires Windows Hello”.
In addition to that, you will see below Information on the WHfB screen:
Your organization requires you to set up your work or school account with Windows Hello Face, Fingerprint, or PIN. If you have already set up Windows Hello on this device, we’ll automatically add it for this account. You may be asked to re-verify with Windows Hello. If your organization requires a more complex PIN, Windows will prompt you to change it.Use Windows Hello with your account
In this blog post, we will delve into the steps to fully disable it, confirming that users won’t see below screen during OOBE and even after logging in. I’ve covered more on WHfB in related blog posts. Feel free to check them out for additional assistance.
Table of Contents
Methods to Disable/Turn off Windows Hello for Business
Windows Hello for Business settings are available at multiple places on the Intune admin center, making it a bit confusing to choose the right one. Let’s simplify and find the correct options.
During Device Enrollment
- Disable WHfB using Windows Enrollment Settings– You can disable WHfB during device enrollment using Windows Enrollment settings by Navigating to Devices > Enroll devices > Windows Enrollment. This is a tenant-wide policy and targets your entire organization. This setting also supports Autopilot out-of-box experience (OOBE).
After Device Enrollment
After the device is enrolled in Intune, WHfB can be disabled for users through various methods. Unlike the tenant-wide policy, these policies can be scoped to specific users or devices.
- Device Configuration Profile > Identity Protection.
- Endpoint security > Account Protection (Preview).
- Device Configuration Profile > Settings Catalog.
- Security Baseline Templates.
- Using a Custom OMA-URI.
Which method to use for Disabling WHfB?
To disable WHfB for the entire organization, go to Devices > Enroll devices > Windows Enrollment and set Configure Windows Hello for Business to Disabled. Once the policy is applied, users won’t see the WHfB configuration window during the device enrollment process.
Additionally, disable WHfB using a Device configuration profile by going to Device Configuration Profile > Identity Protection.
You have the flexibility to select any of the “After Device Enrollment” methods mentioned earlier to disable WHfB. My preference is the Identity Protection template or the Endpoint Security > Account Protection method.
In Summary, Disable WHfB using Windows Enrollment to disable it at the tenant level and use the Identity Protection template to also disable it after device enrollment/post login.
If you want to Disable WHfB at tenant level so that users won’t see WHfB screen during OOBE but still want to Implement it for specific users or devices then you can use Device Configuration Profile > Identity Protection template, Enable WHfB instead of Disabling and target it to specific devices.
Once you enable WHfB using the Identity Protection template, users will be prompted to configure WHfB. They will have the option to Skip it but it will re-appear when users will restart their device and login again. You can disable WHfB post logon provisioning by creating few registry keys. For more Information, refer to the blog post: Disable WHfB Post Logon Provisioning using Intune.Disable WHfB during device enrollment while still allowing it to be set up for specific users/devices
If you have enabled WHfB and adjusted its settings, such as PIN length and complexity, ensure consistency across all WHfB profiles. Using different methods to configure the same WHfB setting on a device may lead to conflicts.
For instance, if you set a minimum PIN length of 6 through Windows Enrollment and then use a Device Configuration Profile to set it to 10, applied to the same device, it will result in a conflict.WHfB settings Conflict [Only when you have choose to Enable WHfB]
In the upcoming sections of the blog post, we will see both the options discussed earlier which will disable WHfB completely. Let’s dive in:
1. Disable WHfB using Windows Enrollment [tenant-wide]
As mentioned before, we’ll start by turning off Windows Hello for Business (WHfB) at the tenant level. That means it will disable it for all users and devices in your organization.
Let’s check the steps:
- Sign in to Microsoft Intune admin center
- Go to Devices > Enroll devices > Windows Enrollment
- Click on Windows Hello for Business.
- Use the “Configure Windows Hello for Business” option drop-down and select Disabled.
- Click on Save to save the changes.
It’s important to highlight that even if you choose “Disabled” from the drop-down menu, you’ll still have access to Windows Hello for Business (WHfB) settings for configuration even though WHfB is disabled. This is possible because you can still enable WHfB from other places in the Intune admin center, as discussed earlier in this blog post.Note
2. Disable WHfB using Identity Protection Template
We will also disable WHfB using the Identity Protection template of Device configuration profile. Let’s check the steps:
- Sign in to Microsoft Intune admin center
- Go to Devices > Configuration profiles.
- Click on Create > New Policy
- Platform: Windows 10 and later
- Profile: Templates
- Template Name: Identity protection
Provide a Name and Description of the profile. For example:
- Name: Disable Windows Hello for Business
- Description: This Device configuration profile will disable Windows Hello for Business on targeted devices/users.
Adjust the settings on the “Configuration settings” tab as follows and click on Next.
- Configure Windows Hello for Business: Disable
- Use security key for sign-in: Not configured
Click on Add groups and select an Entra security group containing either users or devices. I will prefer to target it to the devices, therefore
You have the option to create rules for assigning this device configuration profile, ensuring it applies only to devices meeting specific criteria, such as OS Edition. If you prefer not to create such a rule, simply click on Next without specifying anything on this page.
Review + create
Review the device configuration profile settings and click on Create.
To monitor the deployment progress of a Device configuration profile, follow below steps:
- Sign in to the Intune admin center.
- Click on “Devices” and then select “Configuration profiles“
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access more detailed information.
After configuring both the tenant-wide setting and a device configuration profile to disable WHfB, users won’t see any WHfB pop-up windows. Additionally, if you check the Settings App on a targeted device, the Sign-in options for Windows Hello will be greyed out.
To further verify WHfB configuration settings, you can use Event viewer as well. Let’s check the steps:
- Press Windows Key + R to open the Run dialog box.
- Type eventvwr and press Enter to open Event viewer.
- Navigate to Application and Services Logs > Microsoft > Windows > User Device Registration > Admin.
- Look for Event ID 360 which is related to WHfB.
How to delete Windows Hello for Business Registrations?
If you want to completely remove Windows Hello for Business registrations from a Windows 10 or Windows 11 device. Then you will need to use certutil.exe -deleteHelloContainer command.
I have also made use of this command and deployed it via Intune. You can refer to my other blog post which provides steps to delete WHfB registrations using Intune: Delete Windows Hello for Business registrations.