How can we remove existing WHfB PIN registration from a managed Windows 10/11 endpoint using Microsoft Endpoint Manager (Microsoft Intune)?
Table of Contents
Prologue
During Azure AD join of a Windows 10 or Windows 11 device (be it via Autopilot or manual), as part of the device provisioning process, Windows Hello for Business provisioning gets triggered (post completing ESP, but before the user gets presented with the Desktop screen, subject to meeting the WHfB pre-requisite checks) which prompts the user to setup a Windows Hello PIN for use as a Windows sign-in method for the account on the device. This is the default behavior.
You can see this by viewing the User Device Registration events in the Event Viewer under Applications and Services Logs\Microsoft\Windows.
At this stage, the user can
- either choose to follow the provisioning flow by clicking on OK and continue setup of the Windows Hello PIN sign-in method (default Windows Hello mode) by completing an MFA challenge (if the user has not registered for MFA, the user will be guided through MFA registration as part of the process)
- or, deliberately cause an error in the flow to cancel/skip the Windows Hello registration.
For the purpose of this blog, let us assume that some users have gone through the Windows Hello for Business (WHfB) registration as part of the device provisioning process and have set up Windows Hello PIN as an authentication method for Windows sign-in.
This short blog post is about deleting such existing WHfB registration using MEM Intune, to prevent users from using their already set up Windows Hello sign-in method to sign-in to Windows.
Remove existing Windows Hello PIN from a managed Windows 10/11 device using MEM Intune
Step 1 – Ensure that the Windows Hello for Business is configured to a Disabled state for the tenant
As mentioned above, since Windows Hello for Business provisioning is by default a part of the device provisioning process for Azure AD join scenario unless explicitly prohibited, if you do not wish to use Windows Hello for Business (WHfB) in your environment yet, you need to explicitly disable the Windows Hello for Business (WHfB) enrolment provisioning for the tenant.
This is done from the MEM Admin Center using the Windows Hello for Business tenant-wide configuration accessed from Devices > Windows (By platform) > Windows Enrolment > Windows Hello for Business
Once you have Windows Hello for Business (WHfB) disabled tenant-wide, post policy sync, you will notice that the Windows Hello sign-in options will become unavailable to be configured/managed by the end-user on the endpoint.
The above snip shows my device where I have completed Windows Hello for Business registration as part of the device provisioning and setup Windows Hello PIN as an authentication method for Windows sign-in.
Before disabling the Windows Hello for Business configuration tenant-wide, I had the option to change the PIN. But after disabling Windows Hello for Business configuration for the tenant and syncing my device, as you can see from the snap, I don’t have the option to change the PIN available to me anymore.
However, this does not stop me from using the PIN that I have already set up (or Face or Fingerprint if I have had that configured) to sign-in to Windows.
This is because,
Disabling Windows Hello for Business configuration (tenant-wide settings) from the MEM Admin center only disables Windows Hello for Business enrolment on new device provisioning. It has absolutely no effect on devices that have already gone through provisioning in the past and where users have provisioned Windows Hello as part of device provisioning.
For that, we will need to do something more, which I will get to eventually. But for now, the next move would be to….
Step 2 – Ensure there is no policy from Intune that enables Windows Hello for Business config for the user/device
In the MEM Admin center, you can enable Windows Hello for Business configuration in multiple ways.
- Configuring Windows Hello for Business via Device configuration > Identity protection
- Configuring Windows Hello for Business via Endpoint security > Account protection
As such, you need to confirm that
there is no Device configuration > Identity protection profile or Endpoint security > Account protection policy that is enabling Windows Hello for Business configuration for the user/device.
If there is one built for testing purposes, ensure only test users/devices are in the assignment scope for the corresponding policy.
In general, if you want to start trying out Windows Hello for Business with a limited set of users first before allowing its use by all users in the environment, you would be disabling Windows Hello for Business configuration tenant-wide (as shown in Step 1) and then use either way as shown above (in Step 2) to enable Windows Hello for Business for the test set.
Let’s not deviate from our main goal which is to remove the existing Windows Hello for Business configured sign-in method and for that, the next and last move would be to…
Step 3 – Delete existing Windows Hello for Business (WHfB) registration from the local device
Windows Hello for Business (WHfB) registration can be deleted from the local device by deleting the Hello data container using PowerShell with the help of the command “certutil /deletehellocontainer“.
PS needs to be run in the User context, and as can be seen from the output of running the above command manually, we also need to ensure to log off the currently signed-in user for the action to succeed.
Now this can be achieved via a native PS script deployment from Intune, a very rough implementation as below
Notice that I am not using the logoff command here. This is because when you tell Windows to logoff, it does just that - Windows will basically call out every running process (or apps) to run their EXIT method, as result of which sometimes you get prompted to save your open work, in which case, windows will wait a bit, but if you don’t respond, windows will just force close the current session. Now this might come in the way of IME functioning the script processing. As such, you can see me opt for a time-delayed restart to let IME complete the script processing instead, so that IME can complete the script execution and does not gets interrupted in between.
However, I am not a big fan of native PS script deployment from Intune because of the obvious reasons of less control and reporting. If you are also like me and have the licensing requirements to use proactive Remediation, I would suggest using that instead.
For the detection script, you can use the Detect-WindowsHelloEnrollment.ps1 script by Martin Bengtsson [if you haven’t checked out his blog site yet, do give a visit to https://www.imab.dk/]. However, you will need to change (reverse) the exit codes as in the script for our purpose here. [PS to exit with code 1 when it detects existing WHfB enrolment, else exit with code 0.]
For the remediation, you can use the same rough PS script that I showed above as an example.
The End
Windows Hello for Business enables end-users to use a convenient sign-in mechanism that is safe, secure, and strong, and something that can be managed in an enterprise environment. Then why would you want to disable it?
Maybe when you need to switch between the Windows Hello for Business deployment mode (change in trust type/architecture) and/or any reason whatsoever that is unknown to me.