I came across this in a pilot we ran recently. I discovered that we had an intune policy enabled which caused the issue. "Hide last signed-in user". Once i disabled this policy the last signed-in method was remembered.
Windows Hello For Business (default PIN logon)
Good morning,
I have read the following article and every other article I could find regarding this hurdle. I have made registry DWORD changes and I have created new DWORD values and nothing I have done has yielded any noticeable changes. My question is very simple, but it's starting to look like it is not possible or I'm doing something wrong which is ALWAYS possible :o)
Scenario:
Azure AD Hybrid joined devices
Windows Hello For Business - enabled from Endpoint (no domain GPO's configured)
Setup PIN successfully
On CTRL+ALT+DEL Windows logon page at boot I can select sign-in options > PIN and it works great
Ask:
How can I make PIN sign-in option default instead of password?
Things I understand to be true:
- Windows10 default behavior is supposed to save the last logon method so if I change the sign-in option PIN at reboot PIN should be the default.
- The following article calls out the specific GUIDs to set under the key shown below and although the PIN GUID stays the same after reboot, it never shows as default at the Windows logon
screen. GUID used {D6886603-9D2F-4EB2-B667-1971041FA96B} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTile Source Article: https://www.****/knowledge/set-default-sign-in-option-in-windows-10.html - I also understand that if I were to REMOVE the Password from the Windows Sign-in options list that could do the trick, but the Change option listed under Password is grayed out.
- I have also tested the registry DWORD AllowDomainPINLogon which is found HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System, but that did not help anything either.
What am I missing? Seems like such a simple ask. Any guidance or ideas that I might can try would be greatly appreciated.
Thanks,
CWT
3 answers
Sort by: Newest
-
-
Limitless Technology 43,996 Reputation points
2022-12-02T09:28:20.58+00:00 Hello there,
You can try to check enabling passwordless security key sign-in to Windows devices with Azure Active Directory.
For hybrid Azure AD joined devices, organizations can configure the following Group Policy setting to enable FIDO security key sign-in. The setting can be found under Computer Configuration > Administrative Templates > System > Logon > Turn on security key sign-in.
This Group Policy setting requires an updated version of the CredentialProviders.admx Group Policy template.
This might help in neglecting passwords and adding a security key for login. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows
---------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
-
Rahul Jindal [MVP] 9,256 Reputation points MVP
2022-11-30T07:52:39.403+00:00