Workspace ONE UEM fully supports Microsoft Autopilot. For those who are not aware, Windows Autopilot provides setup and preconfiguration services for new devices so they’re ready to use right out of the box.
My colleague Pete Lindley (VMware EUC) has written an excellent article on how to setup and test Autopilot with Workspace ONE UEM.
This very short article details how you can disable Windows Hello as part of deploying Windows 10 with Autopilot.
Start by creating a Windows 10 device profile and enable Track Profile Status during OOBE as shown:
Select the Custom Settings tab, enter the Install XML as follows:
<Add>
<CmdID>3727e578-7bec-4224-ab7d-09214bfb25b3</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/PassportForWork/<Azure-Directory-ID>/Policies/UsePassportForWork</LocURI>
</Target>
<Meta>
<Format xmlns=”syncml:metinf”>bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>False</Data>
</Item>
</Add>
Remove XML settings:
<Replace>
</Replace>
Note that <Azure-Directory-ID> is replaced by your own Azure Directory ID or Tenant ID. This can be obtained by logging into your Azure AD portal, selecting Properties and copying the Tenant ID value. A screen capture from my environment is shown below:
Now select Groups & Settings > All Settings > Devices & Users > General > Enrollment > Optional Prompt. Select Enable the Status Tracking Page for OOBE to Enabled. See the following as an example:
I disabled the option Enable ‘Continue Anyway’ Button on OOBE Status Tracking Page, otherwise I found that as an end user I might Continue Anyway as shown below, before the profile was applied to disable Windows Hello.
Are you getting prompted to still setup MFA with your user once they’ve logged into Windows? By default Azure AD requires all users to register for Azure Multi-Factor Authentication. See this Microsoft article for further details and how to change this setting.
That’s it! When you start your new Windows 10 PC or laptop, you will no longer be prompted to set up Window Hello as part of a usual Autopilot setup.
If you have any feedback, please don’t hesitate to contact me directly via my blog contact page.
Thank-you to Saurabh Jhunjhunwala (Remote Delivery Consultant, VMware) for sharing this capability with me.
Many Miles Away 
Hello, thank you for sharing but it didn’t work for me. Any idea? Is this still applicable?
Note: I disabled the option Enable ‘Continue Anyway’ Button on OOBE Status Tracking Page, otherwise I found that as an end user I might Continue Anyway as shown below, before the profile was applied to disable Windows Hello.
I did follow that as well. Should I configure those enrollment settings at the root OG? I overrode and configured that at my Azure AD sub-OG.
In my environment I had this set at the root OG. Let us know how you go.
No dice sir.. That’s odd. 😦
Hi AndrewB, what version of Windows 10 did you use? I’ll confirm what I used too.
I’m using the 20H2. BTW, it works when we changed the custom settings to these. Thank you for this article, Darryl.
3727e578-7bec-4224-ab7d-09214bfb25b3
./Device/Vendor/MSFT/PassportForWork/AzureIDhere/Policies/UsePassportForWork
bool
text/plain
False
3727e578-7bec-4224-ab7d-09214bfb25b3
./Device/Vendor/MSFT/PassportForWork/AzureIDhere/Policies/UsePassportForWork
bool
text/plain
@Andrew, wat is the difference in your config, than that from Darren? Can you share your Device Profile? I’m trying to disable Windows Hello in OOBE as well, but my configuration is not being accepted and still get the Windows Hello part via AutoPilot, Azure AD and Workspace ONE enrollment.
My Device Profile config now:
Target = OMA DM Client
Make Commands Atomic = v (checked)
Install Settings =
3727e578-7bec-4224-ab7d-09214bfb25b3
./Device/Vendor/MSFT/PassportForWork/AzureIDhere/Policies/UsePassportForWork
bool
text/plain
False
Remove Settings =
Nevermind, found the problem. I was running Windows 1909 and this version didn’t accept the OOBE Tracking part…
@sidney L, do you mind sharing the exact install setting with me.
@Surbhi, I cannot copy the content of the “custom settings” from the device profile. Darryl site’s doesn’t support the XML content. Send me a DM on Twitter or LinkedIn and I can assist your further.