Sign-In Options missing from Windows Settings after joining Intune/Azure AD

Dustin Rowland 1 Reputation point
2021-08-06T16:19:52.737+00:00

I'm in an IT group that is part of a fast growing company, and as such many of our GPO and Intune configurations were configured by someone who is now gone, so we're left holding the bag on the issue.

We want a way for users to be able to change their Sign-In PIN, help desk to reset the PIN, and/or change from PIN to Biometrics. But on a domain-joined/intune-compliant workstation, the Windows 10 Settings->Accounts->Sign-In Options are missing. On a domain-joined/not-yet-in-azure workstation the Sign-In options are available, but not able to be changed "due to company security policies". In reviewing our Intune Device Configuration Profiles, I cannot find anything that hides the Sign-In section of Settings->Accounts. I see simple password is disabled, PIN and Biometric options are enabled, other password policies are enabled (complexity, length of time to use password, etc). On first login to a workstation after joining the domain and Intune, you can select a PIN or Biometric option, and it works to login after reboot. But we cannot change it if someone forgets their PIN

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,752 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jason Sandys 31,181 Reputation points Microsoft Employee
    2021-08-06T18:14:26.133+00:00

    Windows Hello for Business PINs are device and user-specific and thus are not managed in any central way and also not changeable by anyone except the user. If the user needs their PIN changed, then they need to use one of the other methods to log into the same device and then they can change the PIN. If the password provider is disabled, then an admin will have re-enable it on that device first. Note that this is unrelated to Intune.

    Information about how this provider can be disabled via group policy is at https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy#excluding-the-password-credential-provider. For information about to disable it using Intune, see https://www.petervanderwoude.nl/post/excluding-the-password-credential-provider/


  2. Jason Sandys 31,181 Reputation points Microsoft Employee
    2021-08-24T19:31:38.23+00:00

    I don't know if there's an equivalent group policy or setting within Intune, but using a CSP, you can disable that page: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowsigninoptions (AllowSignInOptions settings).

    0 comments No comments