Changing the default sign in for Azure AD joined machines

It seems that many people have a beef with MS for forcing Windows hello for business onto machines where they are joined to Azure AD – as per

It can be disabled via intune….but what if you don’t have intune – and cant manage the device until its enrolled with your 3rd party solution – after the user has been forcibly enrolled into WHfB ?

Well, first off, lets cover the Why…. why would you want to do this ?

The main reason is SSO for on premise resources. If you have a hybrid environment and AzureAD joined machines sometimes come into the corporate network or VPN in – you dont want them to get prompted every time they try to access a resource. This can be achieved with WHfB – but is not the simplest thing to setup –

AzureAD SSO to on premise resources “just works” with a few caveats – as per this horrendously badly written MS doc – – i have queried the statement

Azure AD joined devices have no knowledge about your on-premises AD environment because they aren’t joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.

with MS support – but they don’t seem to see anything wrong with the implication that additional information is required, but not specifying what that additional information is anywhere.


Anyhoo – back to the topic at hand

While there is no easy way to un-enroll your users from WHfB, you can set password as the default logon option – which will make your SSO journey much simpler… then you can work in the background on getting WHfB SSO going.

In short, loop through each SID listed under


and set the value to {60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}

which is “password”.

Password logons will then become default for each user.

Leave a Reply