Since the Windows 10 Fall Creators Update RS3 (1709) update several customers of mine got a message that they needed to configure a Windows Hello PIN while logging in to Windows 1709 . The devices were all Azure AD joined and managed via Microsoft Intune. In those cases Microsoft Intune was configured to disable Windows Hello, so the users shouldn’t be receiving a message to configure Windows Hello.
Microsoft identified an issue with the enrolment workflow for Windows 10 Fall Creators Update (RS3), all new devices that will be enrolled will not be requested to setup a PIN when Windows Hello is disabled. For devices with Windows 10 RS3 that are enrolled before the 30th of November a the following options are available to disable Windows Hello again.
- For users that have a PIN configured can run the following PowerShell script to disable Windows Hello again:Set-ExecutionPolicy RemoteSigned
Install-Module -Name Microsoft.WindowsPassportUtilities.Commands
- For users that have Windows Hello fingerprint or face biometrics sign-in, they can only remove the prompt from Windows Settings. In Windows go to Settings -> Accounts -> Sign In Options and remove the Face or Fingerprint enrollment.
- For users that updated Windows 10 to RS3 who and have not logged in since, they may be prompted to set up Windows Hello on their next login. If you want to prevent this from happening, you can do so by deleting the folder %programdata%\Microsoft\DMClient and everything in it.
If you want more information, see the status messages in the message center of Office 365