This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 62%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
Short Version:
Does anyone know if it is possible to have a pure AAD joined device to use convenience pin and not be required to do identity verification?
Details:
I work at a school and give Surface Pro devices to students as young as 7 years old or 3rd grade. I want to enable them to use the Hello facial login options built into the Surface Pro. We currently can't use Windows Hello for Business since it requires enrollment via identity verification. Young children don't have a mobile device or phone to do this with. There is no facility to do bulk enrollment for situations like this. (At least no one can tell me one for the last three years.) My workaround for the last few years is to join to local AD and enable via GPO convenience pin. Then I set the WHfB to Not Configured. This allows local PIN where as disabled setting prevents it.
Do to the needs of potential continuing distance learning I attempting again to fully transition to pure AAD rather than Hybrid-AAD join. I am finding that even with WHfB in a Not Configured state the user is told that the organization requires the use of it.
Any other suggestions?
Brian Hoyt
Director of IT
French American School of Puget Sound
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Please understand that this issue is more related to Azure AD not Intune. Therefore, it is better to post a ticket with Azure AD tag so that the ticket can be followed by Azure AD team.
Also, based on my research, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer Configuration\Administrative Templates\Windows Components\device registration\Register domain joined computers as devices policy enabled).
Thanks for the reply. The settings for Windows Hello for Business, enrollment behavior and the configuration profiles to enable convenience PIN are all managed in Intune. AAD is the authentication mechanism but not what defines how the device works. My question is how to disable WHfB without totally disabling biometrics and simultaneously enable convenience PIN. The detail of why due to issues of AAD identity management were just for context.
I have found that I can enable convenience PIN via an ADMX configuration profile. I can also disable WHfB it seems to a select set of users. The challenge for me is I can't find a way to enable biometrics.
It seems I might be able to do with ADMX ingestion but I am having challenges figuring it out.
These devices will be AAD joined.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 57.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
You're out of luck. Convenience PINs aren't supported for pure AAD accounts: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#can-i-use-a-convenience-pin-with-azure-ad
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.