How to Disable Windows Hello PIN, Face ID, and Biometric (Fingerprint) Login in Microsoft Intune

How to Disable Windows Hello PIN, Face ID, and Biometric (Fingerprint) Login in Microsoft Intune

Disabling Windows Hello PIN, Face ID, and Biometric logins (like Fingerprint authentication) can be crucial for organizations with strict security policies or compliance requirements. Microsoft Intune allows administrators to manage these settings across all managed devices in the organization.

Here’s a step-by-step guide to disabling Windows Hello features, including PIN, Face ID, and Fingerprint authentication, using Device Configuration Profiles in Intune.

Step 1: Create a Configuration Profile in Intune

1. Log in to the Microsoft Intune Admin Center at https://endpoint.microsoft.com.
2. Navigate to Devices → Configuration Profiles.
3. Click + Create Profile.
4. Choose Windows 10 and later (or the appropriate platform).
5. Under Profile Type, select Device Restrictions.
6. Click Create.

Step 2: Disable Windows Hello Features

1. In the Profile Name field, enter a name (e.g., “Disable Windows Hello Features”).
2. Under Configuration Settings, scroll down to find the Identity and Sign-in settings.
3. Configure the following options:
   • Windows Hello for Business: Set to Disabled to prevent the use of PIN, Face ID, and Fingerprint.
   • Use Windows Hello for Business: Set to Disabled to completely turn off Windows Hello.
   • Allow Fingerprint: Set to Disabled to prevent the use of fingerprint authentication.
   • Allow Face Recognition: Set to Disabled to turn off Face ID login.
   • Allow PIN Sign-in: Set to Disabled to disable Windows Hello PIN.

This will disable all Windows Hello features, including PIN, Face ID, and Fingerprint authentication.

Step 3: Assign the Profile to Devices

1. After configuring the settings, click Next to proceed to the Assignments section.
2. Choose the target device groups or user groups you want this policy to apply to.
3. Click Next to review the settings and then click Create to deploy the profile.

Step 4: Monitor the Deployment

1. Go to Devices → Monitor → Device Configuration to check the deployment status.
2. Confirm that the policy has been applied successfully to the target devices.

Step 5: Verify the Settings on End Devices

1. Once the policy is deployed, verify the changes on a target device by attempting to set up or use Windows Hello PIN, Face ID, or Fingerprint authentication.
2. Windows Hello PIN: Go to Settings → Accounts → Sign-in Options. Ensure that the PIN option is unavailable.
3. Face ID and Fingerprint: Go to Settings → Accounts → Sign-in Options and confirm that Face Recognition and Fingerprint are not available.

Step 6: Testing

Test the settings on one or more devices to ensure the following:

• PIN, Face ID, and Fingerprint login options are removed from Sign-in Options.
• Users can no longer enroll their biometrics (Face or Fingerprint) for authentication.
• If users attempt to access or enroll Windows Hello features, they should see a message indicating that the feature is disabled by your organization.

Conclusion

By using Microsoft Intune’s Device Configuration Profiles, you can easily disable Windows Hello PIN, Face ID, and Fingerprint login across all managed devices in your organization. This provides an added layer of security and control, ensuring that only your preferred methods of authentication are available to users.