Workspace ONE UEM fully supports Microsoft Autopilot. For those who are not aware, Windows Autopilot provides setup and preconfiguration services for new devices so they’re ready to use right out of the box.
My colleague Pete Lindley (VMware EUC) has written an excellent article on how to setup and test Autopilot with Workspace ONE UEM.
This very short article details how you can disable Windows Hello as part of deploying Windows 10 with Autopilot.
Start by creating a Windows 10 device profile and enable Track Profile Status during OOBE as shown:
Select the Custom Settings tab, enter the Install XML as follows:
Remove XML settings:
Note that <Azure-Directory-ID> is replaced by your own Azure Directory ID or Tenant ID. This can be obtained by logging into your Azure AD portal, selecting Properties and copying the Tenant ID value. A screen capture from my environment is shown below:
Now select Groups & Settings > All Settings > Devices & Users > General > Enrollment > Optional Prompt. Select Enable the Status Tracking Page for OOBE to Enabled. See the following as an example:
I disabled the option Enable ‘Continue Anyway’ Button on OOBE Status Tracking Page, otherwise I found that as an end user I might Continue Anyway as shown below, before the profile was applied to disable Windows Hello.
Are you getting prompted to still setup MFA with your user once they’ve logged into Windows? By default Azure AD requires all users to register for Azure Multi-Factor Authentication. See this Microsoft article for further details and how to change this setting.
That’s it! When you start your new Windows 10 PC or laptop, you will no longer be prompted to set up Window Hello as part of a usual Autopilot setup.
Thank-you to Saurabh Jhunjhunwala (Remote Delivery Consultant, VMware) for sharing this capability with me.