If you are not sure which kind of Windows 10 you are using, jump to Section 2
1 For Domain Joined / Intune Managed Windows 10
If configuring with domain joined/Intune managed Windows 10, sometimes we want to give the user option to use the Windows Hello or not. Then follow this guide first “Windows 10 Sign-in options and Windows Hello Set up button greyed out After Joined AAD (Azure Active Directory)” After we have done with the above guide (The above guide modify the Windows Hello for Business organisation wide for future enrol Windows 10), next time we have new Windows 10 enrolled to the AAD, the system will request us to setup PIN/Windows Hello or Windows Hello for Business on enrolment but sometimes we don’t want to setup Windows Hello / Windows Hello for Business for some devices. We can follow Section 2 to enable and disable Windows Hello for Business individually.
2 For domain joined/ Intune Managed, non-domain joined/non-Intune managed and all other average users of Windows 10
2.1 Enable and Disable Windows Hello for Business via Group Policy
2.1.1 Use Win + R to lunch “RUN” window
2.1.2 Type gpedit.msc then hit Enter key to open Local Group Policy Editor
2.1.3 Navigate to “Computer Configuration” -> “Administrative Templates” -> “Windows Components” -> “Windows Hello for Business”
2.1.4 Double click on “Use Windows Hello for Business”
2.1.5 From the pop-up window, we can Enable or Disable Windows Hello for Business, also Enable or Disable “Do not start Windows Hello provisioning after sign-in”
To Enable Windows 10 to ask users to setup Windows Hello for Business right after login, we can leave the “Do not start Windows Hello provisioning after sign-in” option unchecked. (Useful for pre-configuration, then deliver to the end user, a form of forcing the end user to setup the Windows Hello for Business, If you have Multi-factor authentication (MFA) configured, it might ask them to configure MFA first before configuring Windows Hello for Business.)
To disable Windows 10 to ask users to setup Windows Hello for Business right after login, we need check the “Do not start Windows Hello provisioning after sign-in” option.
2.2 Enable and Disable Windows Hello for Business via Registry
2.2.1 Follow Step 2.1.1 to 2.1.2, Instead typing “gpedit.msc” we replace it with “regedit”
2.2.2 Navigate to “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork”
18.104.22.168 (If “PassportForWork” Key does not exist, create it manually) Right click on “Microsoft” -> Select “New” -> “Key” -> Name it “PassportForWork”
2.2.3 We need to create two Values “Enabled” and “DisablePostLogonProvisioning” Right click on right panel, Select “New” -> “DWORD (32-bit) Value”
Keywords: Sign-in Options, Windows Hello, Windows 10, Azure Active Directory, AAD, Fingerprint, Face Recognition, MDM, Intune, Microsoft Azure, Turn off Windows Hello, Turn Windows Hello, enable Windows Hello, disable Windows Hello
This Guide will explain both how to enable and how to disable Windows Hello.
*Some settings are hidden or managed by your organization.
This setting is managed by your organization. Contact your admin for more info.
6 Change “Configure Windows Hello for Business” to “Not configured” or “Enabled”
(To allow users to decide use Windows Hello or not select Not configured to force set PIN or use Windows Hello select Enabled, to disable Windows Hello (Means the Error will be displayed) select Disabled)
7 Wait for a while, try to reset the Windows 10 which had the error (Make sure to backup the important files)
(If you do not want to reset the computer, try to remove it from Azure domain, wait for a while, then join again)
8 During the setup process select using Work or school account to sign in.
9 Once done, the error should be fixed and you are able to click on the Set up button to configure Windows Hello.