Enabling Windows Hello for Business in Intune is quite easy as the Microsoft Docs are very complete and straightforward. However, if you change your mind and want to disable Windows Hello for Business afterward, there’s no documentation at all. Simply putting the slider “Configure Windows Hello for Business” to OFF is not the solution. It will disable Windows Hello on new devices, but already enrolled devices will keep the PIN-based authentication method configured.
A potential solution would be to delete the current Windows Hello for Business configuration on the device. The command (in user context) is
certutil /deletehellocontainer
However, this only resets the current database. Once you log out and log on, the setup wizard for Hello for Business pops up. You are forced to enter a PIN. No escape to skip this.
So, how to disable Windows Hello for Business completely on a device that was already set up to use WHfB? Below I have described how I disabled Windows Hello for my clients. If you have any questions afterward, feel free to leave any comment and I’ll be happy to respond.
Table of Contents
How to disable Windows Hello for Business on Intune-managed devices
As far as my experience is, you should perform 4 steps to disable Windows Hello for Business on already Intune-enrolled devices:
- Intune: disable Windows Hello for Business in Windows Enrollment
- Intune: disable Windows Hello for Business in Endpoint Security
- Local computer: configure Group Policy setting Use Windows Hello for Business to Disabled
- Local computer: configure Group Policy setting Turn on convenience PIN sign-in to Disabled
I’ve written these steps in more detail below.
Intune: disable Windows Hello for Business in Windows Enrollment
The Hello for Business setting in Enrollment is a tenant-wide setting. It applies to the OOBE (Out of the Box) setup when you configure your device for first the time. If you have enabled WfB here, users will be prompted with the WHfB wizard. You’ll need to disable this option if you haven’t already.
Navigate to this option from Microsoft Endpoint Manager admin center -> Devices -> Enroll Devices -> Windows Hello for Business

Intune: disable Windows Hello for Business in Endpoint Security
In Endpoint Security – Account Protection, you are able to configure Hello for Business for a group of specific users. This is very useful when you are starting a pilot deployment/test.
Because I have turned off Windows Hello for Business at enrollment, I need to set the Block Windows Hello for Business to Disabled in Account Protection. (Note the double denial. Just to make it easier to get confused 🙂 ). If you want to disable PIN login for a specific user, you either need to
- remove the user from the Included groups, or
- add the user to the Excluded Groups, or
- Enable the Block Windows Hello for Business (this then applies to all users in the Included Groups)
Here’s what the setting looks like in Endpoint Security:

Local computer: configure Group Policy setting Use Windows Hello for Business to Disabled
In the local group policy of the computer, navigate to In the local group policy of the computer, navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business
Set Use Windows Hello for Business to Disabled

Local computer: configure Group Policy setting Turn on convenience PIN sign-in to Disabled
In the local group policy of the computer, navigate to Computer Configuration -> Administrative Templates -> System -> Logon
Set Turn on convenience PIN sign-in to Disabled

Test your configuration
Once you have configured Windows Hello for Business as described above, run certutil /deletehellocontainer
on the device in user context, log off and log on. You should now be prompted to enter the password. There will be no option to enter a PIN.
Leave a comment!
If this article did not help you solve your problem, please leave a comment! This website is visited thousands of times a day. There is a good chance that I or someone else has an answer to your question.
In addition, in case you have a better solution for this problem or want to add useful information, please leave a comment too! It may help me improve this article, as well as you may help other users facing this issue.
Thanks for the info.
We are using Azure AD with Endpoint Security. I want the office computers to have NO PIN. But all of the shared computers in shipping and the production floor to have PIN only.
I keep trying things but can’t get it to work. Any suggestions?
Thanks for this – I think it might have helped me also 🙂 I have had problems with this is a pure cloud only environment. Even stranger, the first user to enroll and logon to a cloud device worked fine out of the box, but the second user (who may have had a WHfB logon on another device before) the device simply hung at the setting things up for you step with a suspected PIN creation screen hidden behind the OOBE setup wizard. I therefore have implemented all the settings from here alongside my existing settings that disabled WHfB from… Read more »
Thanks for this. I solved my trouble when I used this solution through Intune GPO. I created a script to finally and exchange register value and run certutil below:
Set-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions -Name value -Value 0 -Type DWord -Force
certutil /deletehellocontainer