How to disable the “Your organization requires Windows Hello” prompt during OOBE

If you’re seeing the “Your organization requires Windows Hello” or “Use Windows Hello with your account” prompt during the out of box experience (OOBE), but thinking to yourself – “I never set up Windows Hello for my organization…” then you’ve come to the right blog post! We’ve covered how to set up Windows Hello for Business before, but maybe there is some reason you would like to disable the prompt for your organization.

Windows Hello prompt for Windows 10 2004

Here’s the quick steps for disabling the prompt:

First, head to the Microsoft Endpoint Manager admin center and click Devices > Windows > Windows enrollment. You’ll need to be signed in with an Intune Administrator role.

Windows Enrollment settings

Click Windows Hello for Business, then under Configure Windows Hello for Business, select Disabled.

Windows Hello for Business settings

Click save and that’s it! During OOBE, you’ll now skip the “Your organization requires Windows Hello” prompt automatically. Here’s a sped up gif showing how OOBE looks without the prompt:


Now, there are other locations you can edit the Hello for Business settings – like the Endpoint Security pane in MEM (using security baselines or configuration profiles), but the settings in the Windows Enrollment pane are the only ones that apply during OOBE. Unfortunately, these settings also apply to the entire tenant and can’t be scoped. So if you want to remove the Hello for Business prompt during OOBE (for Autopilot, for example), you would have to block it for everyone using the tenant wide setting.

You may also be wondering why the prompt shows up at all when you haven’t set anything up before, it seems it’s because of Azure AD and Office 365. According to this docs article, for organizations that use Azure AD as part of O365: “When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature.” This basically results in Hello for Business, which is default to enabled, automatically working and being “required” (although you could still skip it by pressing the X in the top right corner during OOBE).

Have any questions? Comment below! And as always, happy deploying! 🚀

You may also like...

22 Responses

  1. John Straffin says:

    Thank you! This has been driving me crazy!

  2. Thank you!

    This “hello” is super annoying during lockdown, when you want to pre-setup the devices for your new employees while they’re not sitting next to you and can’t register their fingerprints, face recognition or their smartphone.

  3. Josh says:

    Tried doing exactly this, and still get the prompt to setup Windows Hello! Any other pointers?

    • Janusz says:

      This is the one location for configuring the Windows Hello prompt during OOBE, and I’ve seen it take effect very quickly (within a few minutes). I would suggest testing with a licensed cloud-only Azure AD account in your tenant to make sure there’s not issues with the account itself (if you happen to be syncing accounts from on-prem, or using an un-licensed account). If that doesn’t work it might be best to open a ticket with Microsoft and have an engineer review the configuration.

      Let us know if you end up finding the issue!

  4. Saqib says:

    There is now another place you can disable Windows Hello using an Endpoint Security Policy of Type Account Protection, see link. I’ve successfully disabled this for autopilot, but doesn’t seem to disable it for user joined devices.

    • Janusz says:

      Hm, I actually tested the Endpoint Protection Account Protection settings too but was never able to disable the Windows Hello prompt. Tried via user-driven mode Autopilot, ESP enabled/disabled, and just a regular AADJ+MDM scenario. Can you tell me more about your test?

  5. Andrew says:

    Thanks for this post.
    I do like windows hello and option not to enter password but its true that sometimes its annoying when it shows up for user who’s not sure what to do. ( we didn’t yet officially enable this solution only for pilot group)
    My question is if i disable that option mention in the article will users able to enroll themself to WHfB?
    What will happen with already whfb enrolled user?
    Will this option remove wh auth provider?

    There is a group policy setting “do not show wh enrollment on startup” (not remember exact word cause away from computer) and currently we skip this annoying whfb screen with this setting. We actually just create few registry keys and apply thru configuration profile. Its work like expected doesn’t bother user on login and for users who would like to use biometrics etc they just go to sign-in accounts and setup pin and then fingerprints.


    • Sunny says:

      “Do not start Windows Hello provisioning after sign-in” option under “Administrative Templates / Windows Components / Windows Hello for Business / Use Windows Hello for Business”

  6. Silviu Chirila says:

    I have the same question: what happens to the existing users that have already created a PIN for Windows Hello when when switching “Configure Windows Hello for Business” to Disabled? Does their PIN get reset or stays unchanged? Does the PIN option dissapear and they are prompted to login with their AzureAD passsword?
    Also, is there any way to find out which user have had PIN created?

    Thank you!

  7. Kav says:

    No option to supercede this policy with another one so that you can control who it applies to?

    Any experiencing using ‘account protection’ policy as detailed here: to create windows hello policy that applies only to a subset of users?

    • Janusz says:

      Unfortunately no, it seems like it’s everyone or no-one for the prompt during OOBE. I did test the account protection policy (mentioned in my previous comment) but could never get it to work. If you (or anyone reading this!) has gotten the account protection policy to disable the WHfB prompt let me know your scenario/settings, would definitely be an improvement to be able to target users.

  8. Ed says:

    We are getting the “Use Windows Hello with your account” during OOBE with Win 10 1909, but our organization doesn’t have Azure AD Premium. There seems to be no way to turn this off in the AzureAD admin as there is a “No Access” error when trying to get to Devices, Windows, Windows Enrollment in the Endpoint Manager as this page suggests.

    Continuing through the setup with Hello, pops up the MFA login, even if it is not enabled/forced for the user, so really the Hello window doesn’t break anything. It is just annoying for the user.

    • Janusz says:

      Yeah I believe that’s correct – to disable the Hello prompt you need an Intune license to access the setting in the MEM portal.

  9. Ed says:

    I was able to rid of this annoyance by tweaking a registry setting on the device in audit mode (Ctrl-Shift-F3) before OOBE is run.
    # Stop Windows Hello #
    REG ADD “HKLM\SOFTWARE\Policies\Microsoft\PassportForWork” /v Enabled /t REG_DWORD /d 0 /f
    Microsoft support confirmed there is NO WAY to do this in AzureAD without Premium.

  10. James Foo says:

    Hi, If we disable the prompt by setting Configure Windows Hello for Business: Disabled (Ref , does it mean users CANNOT setup WHfB even using Sign-In Options –> Hello Fingerprint/Face/PIN ?

    • Janusz says:

      Correct – setting the identity protection device configuration profile to disabled will block WHfB from the settings pane. Here’s what it would look like for the end user: screenshot

  11. Dk says:

    I have not managed to disable Windows Hello. These are the steps I have tried.

    1. -> Home -> Devices -> Windows -> Windows Hello for Business -> Configure Windows Hello For Business: Disabled

    2. -> Home -> Endpoint security -> Account protection -> Create policy: Account protection (Preview) -> Block Windows Hello for Business: Enabled, Assigned for all users

    3. -> Home -> Devices -> Configuration profiles -> Profile: Indentity protection -> Configure Windows Hello For Business: Disabled, Assigned for all devices.

    Now I press Autopilot reset for a laptop. Wait for Windows installation. Log in -> Windows Hello prompt is displayed. I don’t know that to try next.

  12. AWB says:

    We are not getting the prompt at OOBE, but at user first login, which is annoying as students don’t always get the same laptop so they either setup a pin on each device or quit the ‘need more information’ dialogue then get ‘something went wrong and they can skip for now. It then comes back at next login. Any thoughts on getting rid of that? We’ve disabled using the 3 methods above.

    • Janusz says:

      That’s surprising – if you block Hello for Business using the Windows enrollment settings, it shouldn’t come up for anyone…

      And you’ve also deployed the Identity Protection Hello for Business setting?

  13. DA says:

    Hi, as Ed pointed out above there is a registry edit that will prevent the Windows Hello prompt from showing up during autopilot. If you’re using Intune you can deploy a power shell script to set this registry key automatically. This still allows the user to use Windows Hello if they like.

    Here is what I use (can’t find original source to credit, sorry!):

    $RegKeyPath = “HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork”

    $PassportEnabled = “Enabled”
    $PassportPostLogon = “DisablePostLogonProvisioning”

    $StatusOn = “1”
    $StatusOff = “0”

    if (!(Test-Path $RegKeyPath))
    Write-Host “Creating registry path $($RegKeyPath).”
    New-Item -Path $RegKeyPath -Force | Out-Null

    #PassportEnabled: StatusOn = Windows Hello enabled, StatusOff = Windows Hello disabled
    #PassportPostLogon: StatusOn = Windows Hello for Business prompts post Windows login, StatusOff = Windows Hello will prompt
    New-ItemProperty -Path $RegKeyPath -Name $PassportPostLogon -Value $StatusOn -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $RegKeyPath -Name $PassportEnabled -Value $StatusOn -PropertyType DWORD -Force | Out-Null

    #Forces system to refresh
    RUNDLL32.EXE USER32.DLL, UpdatePerUserSystemParameters 1, True

Leave a Reply

Your email address will not be published. Required fields are marked *