How do I turn off Windows Hello PIN in Intune?

To effectively turn off Windows Hello PIN in Intune, you primarily utilize specific settings within either Account Protection or Configuration Profiles that manage the broader Windows Hello for Business functionality. Disabling Windows Hello for Business inherently prevents users from setting up or using a PIN.

Windows Hello for Business offers a robust and user-friendly method for sign-in, including PINs, facial recognition, or fingerprint scans. However, organizations may need to disable this feature to enforce alternative authentication methods, meet specific security policies, or simplify the user experience based on their IT strategy. Intune provides the granular control necessary to manage this across your enrolled Windows devices.

There are two primary methods in Intune to achieve this, as outlined in the reference:

1. Disabling Windows Hello via Account Protection Policy

This method directly blocks the provisioning of Windows Hello for Business for targeted users or devices. When blocked, users will not be prompted to set up a PIN or any other Windows Hello credentials, thereby turning off the PIN feature along with other Hello components.

Steps to Configure:

1. Navigate to the Microsoft Intune admin center.
2. In the left-hand navigation pane, select the Security tab.
3. Under the Security section, choose Account protection.
4. Within the Account protection settings, locate the option titled 'Block Windows Hello for Business'.
5. Set this option to Enabled.

By enabling 'Block Windows Hello for Business', you prevent the entire feature from being set up on devices, which includes the Windows Hello PIN. This is a broad policy that applies to user-provisioned Hello settings.

2. Turning Off Windows Hello through Identity Protection Configuration Profiles

Configuration profiles in Intune offer a more structured approach to deploy specific settings to devices. By targeting an Identity Protection profile, you can control whether Windows Hello for Business is allowed or required on enrolled devices. Setting 'Configure Windows Hello for Business' to 'Disabled' will prevent the system from prompting users to set up Hello, including the PIN.

Steps to Configure:

1. Access the Microsoft Intune admin center.
2. In the left-hand navigation, select Devices.
3. Under Devices, choose Configuration profiles.
4. Click Create profile (or edit an existing one).
   • For Platform, select Windows 10 and later.
   • For Profile type, select Templates, then choose Identity protection.
5. Follow the wizard to configure the profile details (Name, Description).
6. In the Configuration settings section, find the setting for 'Configure Windows Hello for Business'.
7. Set this option to Disabled.
8. Complete the profile creation by assigning it to the appropriate user groups or devices and reviewing the settings.

This method effectively turns off the Windows Hello for Business experience, including PIN setup, by preventing its configuration on devices where the policy is applied.

Summary of Intune Settings to Disable Windows Hello PIN

The following table summarizes the key settings and their effects:

Impact and Considerations

When Windows Hello PIN is turned off using either of these Intune settings, users on the affected devices will no longer be able to set up or utilize a PIN for signing into Windows. Consequently, users will typically rely on their traditional Microsoft Entra ID (formerly Azure AD) passwords or other permitted authentication methods for device login.

It's crucial to:

• Target Policies Correctly: Ensure that these policies are assigned to the correct user groups or device groups to avoid unintended disruptions.
• Allow Synchronization Time: Policy changes in Intune require time to synchronize and apply to the targeted devices.
• Understand Scope: Disabling Windows Hello for Business not only affects PINs but also impacts other associated features like biometric sign-in (facial recognition, fingerprint) if they rely on the Hello infrastructure for provisioning and use.