When User Verification (UV) is enabled in Okta, Windows uses Windows Hello to implement UV solutions like PINs or biometrics, prompting the user to set them up during Okta Verify enrollment. To prevent this prompt, disable User Verification globally in Okta, or disable Windows Hello mechanisms directly in Windows 10 or 11 using Group Policy or Registry modifications.

• Okta Identity Engine (OIE)
• Windows Operating Systems: 10, 11
• Okta Verify

When User Verification (UV) is enabled, Windows uses Windows Hello as the mechanism to implement UV solutions, such as PINs and biometrics. Because the mechanism to provide UV is specific to the operating system, Windows prompts the user to configure Windows Hello during Okta Verify enrollment.

To resolve this, disable User Verification globally in Okta. Alternatively, modify the Windows operating system settings to disable Windows Hello. Consult with Microsoft before implementing OS-level changes, as the administrator assumes all responsibility for vetting these modifications.

How is Windows Hello disabled using Group Policy settings?

If using the Windows 10 Pro edition, change the Group Policy settings to disable the PIN sign-in option for all users by following these steps:

1. Open the Run dialog box by pressing the Windows key and the R key together.
2. Type GPEDIT.MSC and press Enter.
3. Go to Computer Configuration > Administrative Templates > System > Logon.
4. On the right side, double-click Turn on convenience PIN sign-in and select Disabled.

The following image displays the Logon settings in the Local Group Policy Editor:

5. Disable any other Windows Hello options.
6. Exit the Group Policy Editor and reboot the computer.

Biometrics can Also be Disabled in Group Policy

If biometrics are available on the system, disabling them also prevents the Windows Hello prompt during Okta Verify enrollment by following these steps:

1. Open the Run dialog box by pressing the Windows key and the R key together.
2. Type GPEDIT.MSC and press Enter.
3. Go to Computer Configuration > Administrative Templates > Windows Components > Biometrics.
4. On the right side, double-click Allow the use of biometrics and select Disabled.

The following image displays the Biometrics settings in the Local Group Policy Editor:

5. Disable any other Windows Hello options.
6. Exit the Group Policy Editor and reboot the computer.

How is Windows Hello disabled using the Windows Registry?

If setting the Group Policy does not work, disable the sign-in options in the Registry to deactivate Windows Hello for all user accounts by following these steps:

NOTE: The Registry is a database in Windows that contains important information about system hardware, installed programs, settings, and profiles for each user account. Windows frequently reads and updates this information. Unnecessary changes to the Registry should be avoided, as incorrect modifications can cause Windows to stop working or report incorrect information. Back up the Registry before proceeding by following the instructions in the Microsoft support article: How to back up and restore the registry in Windows.

1. Open the Run dialog box by pressing the Windows key and the R key together.
2. Type Regedit and press Enter.
3. When the Registry Editor opens, navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions
4. In the right pane, double-click the DWORD entry named value and set it to 0.

The following image displays the AllowSignInOptions Registry key configuration:

To re-enable Windows Hello, change the DWORD entry value back to 1.

Related References

• Enabling Windows Hello Setup Prompt when Registering Okta Verify
• How to back up and restore the registry in Windows