none
Unable to disable sign-in with PIN RRS feed

  • Question

  • I have applied the Windows 10 ADMX files to our domain controller and have the "Turn on PIN sign-in" GPO set to Disabled but end users with Windows 10 computers still have the option to set and sign-in with a PIN.  All Windows 8.1 computers with this policy enabled cannot set and sign-in with a PIN. Is there another GPO that needs to be set to not allow Windows 10 users to set a sign-in PIN, or is this a bug that needs to be fixed?
    Friday, August 21, 2015 8:45 PM

Answers

  • Hello

    The GPO Computer Configuration\Administrative Templates\System\Logon -> Turn on PIN is for Windows 8/8.1/2012/2012R2 only.

    If you want to disable the PIN-Login function, you have to set the following gpo:

    Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Passport for Work > Use Microsoft Passport for Work -> Disabled


    • Edited by MatthiassaihttaM Monday, June 13, 2016 9:40 AM
    • Proposed as answer by HelpDeskI2 Monday, July 18, 2016 4:12 PM
    • Marked as answer by EJtech13 Monday, July 18, 2016 4:13 PM
    Monday, June 13, 2016 7:21 AM

All replies

  • The users who are using Windows 10 have to cancel PIN  sign -in

    Open Settings.

    • Click on Accounts.
    • Select Sign-in options.
    • Look for PIN. Since you have already created a pin, you should be getting option as Forgot my PIN, click on that.
    • Now click on Continue.
    • Don’t enter the pin details and click on Cancel


    S.Sengupta, Windows Experience MVP

    Saturday, August 22, 2015 1:02 AM
  • The problem isn't removing a current PIN.  The computer's don't have a PIN enabled on them currently and I don't want end user's to be able to set a PIN to use as a sign-in method to the computer.
    Saturday, August 22, 2015 1:30 AM
  • Have you tried Group Policy to set it?

    Press Win+R keys and type in gpedit.msc to launch Group Policy Editor.

    Computer Configuration\Administrative Templates\System\Logon

    Configure turn on PIN Sign


    S.Sengupta, Windows Experience MVP


    Saturday, August 22, 2015 1:40 AM
  • Yes I tried that but setting a PIN is still allowed. I also went into the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System and made sure AllowDomainPINLogon DWORD value is set to 0. 
    Saturday, August 22, 2015 3:52 AM
  • Does anyone else experience this issue? I have tried setting the GPO on 3 different computers now and I can't get any of them to NOT allow a PIN to be set for sign-in.  I have a Surface Pro 3 that had Win 8.1 installed and the GPO set which prevented a PIN to be used for sign-in, but after I installed the Window 10 upgrade on it the computer now allows a PIN to be set for sign-in.
    Monday, August 24, 2015 7:19 PM
  • Hi,

    I will do some tests in our environment to confirm that and feedback, thanks for that.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 31, 2015 2:16 AM
    Moderator
  • I would also recommend submitting this feedback via the Windows Feedback app, this is the surest way to inform the development teams of the issue you are experiencing.

    Brandon
    Windows Outreach Team- IT Pro
    Windows for IT Pros on TechNet

    Thursday, September 3, 2015 5:47 PM
    Moderator
  • Yes, I'm having the same issue.
    Thursday, September 3, 2015 7:01 PM
  • Any findings?
    Thursday, September 3, 2015 7:51 PM
  • Done
    Thursday, September 3, 2015 7:52 PM
  • Hi,

    I tested on 2 Windows 10 machine and 1 Windows 8.1 in a Windows server 2012 R2 environment with Windows 10 ADMX installed. Seems like you are right about this group policy. Please feedback to us as mentioned by Brandon Records. In the other hand we also will raise this issue from our side and do more test. Thanks very much.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by EJtech13 Saturday, September 5, 2015 3:09 AM
    • Unmarked as answer by EJtech13 Monday, July 18, 2016 4:15 PM
    Friday, September 4, 2015 4:16 AM
    Moderator
  • Thanks for confirming this is a bug. I have also posted the issue on the Windows Feedback app as suggested.
    Saturday, September 5, 2015 3:08 AM
  • I have same problem with Windows 10 Education clients in a Windows Server 2012 R2 environment.

    AllowDomainPINLogon DWORD value is ignored by Windows 10.

    Monday, September 21, 2015 1:46 PM
  • Hi,

    Thanks for your feedback, hope it can get fixed soon.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 22, 2015 1:06 AM
    Moderator
  • Any updates on this?  I'm having the same issue as well.  Thanks.
    Friday, October 9, 2015 8:34 PM
  • I am experiencing the same issue.

    Windows 10 Pro.

    This is definitely a Windows issue. Hopefully Microsoft fixes it in a future update.
    Friday, October 9, 2015 8:44 PM
  • Microsoft will take their time to evaluate. Maybe 2016 we will see a change in some insider build, so by 2017 the big change goes into production. Come one...

    The solution (temporary fix at least) is here: https://www.reddit.com/r/sysadmin/comments/3gdx4k/windows_10_block_microsoft_accounts/

    Monday, October 19, 2015 8:46 PM
  • This issue is pretty bad. 

    1234 is accepted as a PIN and I don't see any way force complexity.

    However, a possible clue is that I noticed that even though PIN setting is configured as disabled in Group Policy gpmc RSOP for the workstation, the local policy editor (gpedit.msc) still shows it unconfigured.

    Also, there is a related setting that is also broken. Even though a GPO is enabled to Block Microsoft accounts, this is also not enforced.

    So, both the PIN policy and the Microsoft account policy are broken.

    Monday, October 19, 2015 10:56 PM
  • That's what my link is about, MyGposts. It includes the fix for both.

    "a possible clue is that I noticed that even though PIN setting is configured as disabled in Group Policy gpmc RSOP for the workstation, the local policy editor (gpedit.msc) still shows it unconfigured" - normal behavior for any domain policy based setting.

    Tuesday, October 20, 2015 7:13 AM
  • Microsoft will take their time to evaluate. Maybe 2016 we will see a change in some insider build, so by 2017 the big change goes into production. Come one...

    The solution (temporary fix at least) is here: https://www.reddit.com/r/sysadmin/comments/3gdx4k/windows_10_block_microsoft_accounts/


    Thanks, this workaround works perfectly.
    Tuesday, October 20, 2015 9:46 AM
  • Hello,

    I work on a Windows 10 master for a customer. They want to make an Azure AD join on their machine but disable the pin. If I put the AllowDomainPINLogon registry key. I must create a pin the first time the user connect to the machine, but after i'm not able to use this pin to log me (I must use my password as desired)

    Is there a tweak to completly disable this pin function during the first connexion ? Or it's still unresolved ?

    PS : sorry for my english


    • Edited by M.Gauttier Wednesday, October 21, 2015 12:46 PM
    Wednesday, October 21, 2015 11:59 AM
  • We're having this problem. 

    It is HUGE for an enterprise as it essentially can bypass all domain password strength requirements. Windows 10 should have never made it to release with this bug in it.

    Likewise, the disabled Windows Mail and other GPO settings that just don't work. 

    Both, you can disable in Registry, in local GPO, in domain GPO - they're all just "placeholders" that have absolutely no effect.

    As a security professional, I have advised my organization to NOT DEPLOY WINDOWS 10 until this is resolved by Microsoft.

    Friday, October 30, 2015 10:58 PM
  • We also need to turn this PIN off. This BUG is still present in 10586 build (th2) even with new admx for this build. For workaround this issue i set maximum complexity of PIN so users wouldn't use it (complexity settings for PIN works from GPO). 
    Thursday, November 26, 2015 9:22 PM
  • Missed my workaround?
    Friday, November 27, 2015 8:09 AM
  • Missed my workaround?

    Nope - it doesn't work through GPO but when registry entries manually changed then it works - strange... (the gpo is changing registry values but nothing happens).

    That's why i use complexity settings - these works.

    Wednesday, December 2, 2015 8:54 AM
  • It does work via Group policy preferences (registry item distribution). Tested.
    Wednesday, December 2, 2015 9:41 AM
  • Hi Ronald,

    please be so kind and describe how did you disabled PIN logon for win10 computers.

    Thank you

    Tuesday, December 15, 2015 12:44 PM
  • Tuesday, December 15, 2015 1:49 PM
  • same issue has this been resolved? Nothing above works including the registry keys and gp
    Tuesday, March 8, 2016 8:27 PM
  • same issue has this been resolved? Nothing above works including the registry keys and gp
    So anyone can verify the current status on this gpo and the proposed workaround?
    Friday, March 18, 2016 11:59 PM
  • Hello

    The GPO Computer Configuration\Administrative Templates\System\Logon -> Turn on PIN is for Windows 8/8.1/2012/2012R2 only.

    If you want to disable the PIN-Login function, you have to set the following gpo:

    Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Passport for Work > Use Microsoft Passport for Work -> Disabled


    • Edited by MatthiassaihttaM Monday, June 13, 2016 9:40 AM
    • Proposed as answer by HelpDeskI2 Monday, July 18, 2016 4:12 PM
    • Marked as answer by EJtech13 Monday, July 18, 2016 4:13 PM
    Monday, June 13, 2016 7:21 AM
  • I believe I found what you need to set. 

    Disabling the Windows Passport and disabling the Turn on convenience PIN sign-in policy didn’t stop the use of a PIN on Windows 10; you need to use Exclude credential providers.

    Under Computer Configuration\Administrative Templates\System\Logon you need to add CLSIDs of credential providers to the Exclude credential providers policy. The CLSID for PINLogonProvider is {cb82ea12-9f71-446d-89e1-8d0924e1256e}.Windows 10 GPO disable crappy sign-in options

    A link with the CLSIDs https://www.sophos.com/support/knowledgebase/114190.aspx
    • Edited by trmark123 Thursday, June 23, 2016 4:01 PM Added Link
    • Proposed as answer by trmark123 Thursday, June 23, 2016 4:04 PM
    Thursday, June 23, 2016 4:00 PM