How to remove Windows Hello credentials from an account that was accidentally merged with a Microsoft Account : RnD Consulting LLC

How to remove Windows Hello credentials from an account that was accidentally merged with a Microsoft Account Print

Created by: Josh Dill

Modified on: Mon, 23 Dec, 2024 at 4:14 PM

To disable Windows Hello when an AD account has been accidentally merged with a Microsoft Account, you'll need to:

1. First, disconnect the Microsoft Account from the local AD account:

- Log in as the affected user

- Go to Settings > Accounts > Access work or school

- Select "Disconnect" for the Microsoft Account connection

2. Then remove the Windows Hello credentials:

- Open Command Prompt as administrator

- Run: `certutil -deleteHelloContainer`

- This removes all Windows Hello credentials for the current user

3. To prevent re-enrollment in Windows Hello:

- Open Group Policy Editor (gpedit.msc)

- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

- Set "Use Windows Hello for Business" to "Disabled"

4. If needed, you can also force removal via registry:

```

reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /f

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\EAS\Policies" /f

```

After these steps, restart the computer for changes to take effect. The user should then be able to log in with just their AD credentials.

Note: You may need to clear cached credentials from Credential Manager if you encounter any lingering issues.

Josh is the author of this solution article.

Did you find it helpful? Yes No

How to remove Windows Hello credentials from an account that was accidentally merged with a Microsoft Account Print