How to disable the “Your organization requires Windows Hello” prompt during OOBE
If you’re seeing the “Your organization requires Windows Hello” or “Use Windows Hello with your account” prompt during the out of box experience (OOBE), but thinking to yourself – “I never set up Windows Hello for my organization…” then you’ve come to the right blog post! We’ve covered how to set up Windows Hello for Business before, but maybe there is some reason you would like to disable the prompt for your organization.
Here’s the quick steps for disabling the prompt:
First, head to the Microsoft Endpoint Manager admin center and click Devices > Windows > Windows enrollment. You’ll need to be signed in with an Intune Administrator role.
Click Windows Hello for Business, then under Configure Windows Hello for Business, select Disabled.
Click save and that’s it! During OOBE, you’ll now skip the “Your organization requires Windows Hello” prompt automatically. Here’s a sped up gif showing how OOBE looks without the prompt:
Now, there are other locations you can edit the Hello for Business settings – like the Endpoint Security pane in MEM (using security baselines or configuration profiles), but the settings in the Windows Enrollment pane are the only ones that apply during OOBE. Unfortunately, these settings also apply to the entire tenant and can’t be scoped. So if you want to remove the Hello for Business prompt during OOBE (for Autopilot, for example), you would have to block it for everyone using the tenant wide setting.
If you are still seeing the Hello for Business prompt after setting it to disabled in enrollment settings, try also configuring the following security catalog setting. Go to Devices > Configuration profiles + Create profile > Settings catalog (preview), or select an existing settings catalog profile. Click + Add settings, search for Use Passport For Work, and add the Use Passport for Work setting from the Windows Hello for Business to your settings catalog profile. Set Use Passport for Work to False, and deploy to a device group (so the setting processes before WHfB is provisioned on the device).
You may also be wondering why the prompt shows up at all when you haven’t set anything up before, it seems it’s because of Azure AD and Office 365. According to this docs article, for organizations that use Azure AD as part of O365: “When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature.” This basically results in Hello for Business, which is default to enabled, automatically working and being “required” (although you could still skip it by pressing the X in the top right corner during OOBE).
Have any questions? Comment below! And as always, happy deploying! ?