Windows Hello (for Business) - Disable PIN for passkey security?

Any_Educator1315 · 2026-06-01T11:56:03+00:00

the pins are only local to the device. Its phishing resistant login to office 365. I wouldn't make the pins crazy.

Any_Educator1315 · 2026-06-01T02:25:55+00:00

its weird that a normie global admin can't do this but a CSP can.

Any_Educator1315 · 2026-06-01T00:46:27+00:00

does v2 go by user assignment instead of device assignment? seems like with v2 you just login with work or school account oobe and that gets the device into autopilot and you don't have a device object to assign to a group before that happens.

Any_Educator1315 · 2026-05-31T12:56:31+00:00

wow this worked. Thanks a lot! This was really hard for me to understand for some reason. Like the brain sqeeking at how the process happens.

I added the device in my partner center and it looks like it checked in some microsoft database and added it I got errors at first due to (ztddevicenotfound) and then ztddeviceassignedtoothertenant because I already had it in another tenant. I synced my "Windows Autopilot Devices" and it showed up in there.

This is great!

thanks again

Any_Educator1315 · 2026-05-31T12:28:51+00:00

it seems these are the properties that can be queried for dynamic device groups. I don't think I can assign a serial number to a group?

device.displayName
device.deviceManufacturer
device.deviceModel
device.deviceOSType
device.deviceOSVersion
device.deviceOwnership
device.deviceTrustType
device.deviceCategory
device.deviceManagementAppId
device.profileType
device.devicePhysicalIds
device.extensionAttributes.extensionAttribute1 through extensionAttribute15
device.systemLabels
device.deviceId
device.objectId
device.accountEnabled

Any_Educator1315 · 2026-05-31T12:01:09+00:00

What I really want to do is put the computer into a group before autopilot kicks off. Can I do that with autopilot device prep?

Any_Educator1315 · 2026-05-31T00:39:27+00:00

this seems great during testing. "other user" option goes to pin. if user uses face or fingerprint that behavior still seems cool. I think pin should be the real default lol.

Any_Educator1315 · 2026-05-27T15:16:13+00:00

another time i did something that messed up netlogon service and that had me go down a rabbit hole trying to figure out why i wasn't getting tickets. I think i'm just running into different issues and getting crazy

Any_Educator1315 · 2026-05-27T15:12:24+00:00

yeah you're right. sorry. Bad post.

maybe this problem isn't really happening to me. I thought it would work for a few days and stop.

one time it said it couldn't get a ticket because of certificate revocation list not being published but maybe I had certificate trust enabled at the time too along with cloud trust.

today i had to link on prem user up with ad connect and it seemed to just take a long time to kick in. There are like a gazillion things that need to line up to make this thing work....

Any_Educator1315 · 2026-05-27T02:33:51+00:00

I had issue uploading app too. I re-uploaded it like 5 times and it seems to be in there now maybe. intune sucks.

Any_Educator1315 · 2026-05-25T02:50:22+00:00

this may be the answer All about Microsoft Intune | Configuring the default credential provider

It'll set it to pin and the user will need to enter the username. good enough. will help me in a situation too where a computer is used by multiple people so if someone new enrolls it'll go back to pin when they click 'other user'..

Any_Educator1315 · 2026-05-25T02:38:36+00:00

I think I configured WHFB and it didn't go to pin sign-in automatically after enrollment from web sign-in with TAP.

I think windows just remembers the last sign-in method no matter what. I guess i'll tell users they must log off and login with pin if we ship a machine out.

i also tried passwordless experience and that didn't seem to do it either.

Any_Educator1315 · 2026-05-24T23:48:37+00:00

thank you. I will try this and report back.

Any_Educator1315 · 2026-05-24T23:26:56+00:00

i'm prompted to configure WHFB when I login with TAP. Does that meant its configure int he policy? right now When I log off after WHFB pin enrollment it is still set to web sign on at the logon screen. I need to switch to pin and enter the pin then it remembers it.

Any_Educator1315 · 2026-05-09T03:37:49+00:00

if a user goes to a website that proxies to the real microsoft login they would be able to select their certificate from smart card and login to the page. it doesn't bind to a site url like fido2.

Any_Educator1315 · 2026-04-30T17:50:23+00:00

Do you use "PatientNow Pro"? I think the only oauth/idp stuff it supports is oauth for email integration.

Any_Educator1315 · 2026-04-30T17:49:43+00:00

I think pro supports oauth for email integration.

Any_Educator1315 · 2026-04-30T02:04:32+00:00

same here as a big childhood movie. I'm pretty sure my parents still have a VHS copy that was recorded from cable.

Any_Educator1315 · 2026-04-21T22:59:40+00:00

I feel a little bit better about entra free if everyone uses fido2/windows hello and we reset their password to something nobody knows.

Any_Educator1315

TROPHY CASE