Changing the default sign in for Azure AD joined machines

Posted on by Hayes Jupe

It seems that many people have a beef with MS for forcing Windows hello for business onto machines where they are joined to Azure AD – as per https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/17762902-allow-for-deactivating-windows-hello-and-set-up

It can be disabled via intune….but what if you don’t have intune – and cant manage the device until its enrolled with your 3rd party solution – after the user has been forcibly enrolled into WHfB ?

Well, first off, lets cover the Why…. why would you want to do this ?

The main reason is SSO for on premise resources. If you have a hybrid environment and AzureAD joined machines sometimes come into the corporate network or VPN in – you dont want them to get prompted every time they try to access a resource. This can be achieved with WHfB – but is not the simplest thing to setup – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

AzureAD SSO to on premise resources “just works” with a few caveats – as per this horrendously badly written MS doc – https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso – i have queried the statement

Azure AD joined devices have no knowledge about your on-premises AD environment because they aren’t joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.

with MS support – but they don’t seem to see anything wrong with the implication that additional information is required, but not specifying what that additional information is anywhere.

 

Anyhoo – back to the topic at hand

While there is no easy way to un-enroll your users from WHfB, you can set password as the default logon option – which will make your SSO journey much simpler… then you can work in the background on getting WHfB SSO going.

In short, loop through each SID listed under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTile

and set the value to {60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}

which is “password”.

Password logons will then become default for each user.

Leave a Reply