I'm trying to figure out if it's possible to disable Windows Hello's passkey method for specific applications. There's a particular third-party app that only allows password authentication, which leads to confusion and error messages for users trying to sign in. I don't see any settings related to Windows Hello for Business in Entra or Intune, even though we've enabled it for enrollment and configured cloud Kerberos trust. Is this a simple on/off feature with no flexibility? Would a conditional access policy be useful in this situation, and if so, how would I go about setting it up to block Windows Hello or allow only password logins?
5 Answers
Honestly, I'm not a fan of Windows Hello either. I’d suggest enforcing multi-factor authentication and good, memorable passwords instead. Many users struggle to understand the difference between a PIN and a password. It might be best to disable Windows Hello across the board, enforce strong passwords, and also set up single sign-on wherever possible. This can simplify access and reduce the number of confusing tickets. Plus, implementing conditional access policies to restrict logins to your country or specific IP addresses could significantly lower your security risks.
You might want to check the enterprise app registration in Azure. While I'm not entirely sure if you can change Windows Hello settings there, that's definitely where to start looking instead of in Windows Hello itself.
So it sounds like it really depends on whether the vendor supports modern authentication methods, right?
Unfortunately, you can't disable Windows Hello for specific applications; it’s an all-or-nothing setup. Conditional access won't provide a workaround for this either.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures