Disable Windows Hello PIN/biometrics/etc. after setup?

Question

Good evening. We are managing a small number of Windows 11 machines via the JumpCloud MDM (not integrated with any AD/domain). We can set registry settings, etc. but need to use settings that don't require machines being joined to a domain. We need to disable the use of Windows Hello sign-in options (PIN, biometrics, etc.) - as we're using a different credential provider. I've found settings that seem to disable the option to setup these sign-in options, but these same settings don't appear to disable the ability to use them if they've already been setup. Our particular interest is in disabling these options for UAC authentication, but disabling them for everything is fine.

I came across https://social.technet.microsoft.com/Forums/en-US/5c9d5ed5-877f-4bba-b5be-3be1b97580d3/windows-hello-pin-signin-option-disabling?forum=win10itprogeneral, which seems related, but seemed to try to split hairs - we actually would be fine disabling all the Windows Hello biometrics, including the PIN.

We've tried SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{cb82ea12-9f71-446d-89e1-8d0924e1256e} setting Disabled to 1 and SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions, setting value to 0. Neither of these have had the desired effect (separately or together).

Thanks for any help!

Answer 1

Hello there,

You can change the group policy settings to disable the PIN sign-in option for all users.

Open the Run dialog box by pressing the Windows key and the R key together.

Type GPEDIT.MSC and hit the Enter key.

Go to Computer Configuration -> Administrative Templates -> System -> Logon.

On the right side, double-click on Turn on PIN sign-in and select Disabled.

Similarly, disable the other Windows Hello options if any.

Exit the Group Policy editor and reboot the computer.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–