Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 16, 2020 12:58 PM
We (all Office 365 users) once in a while sign into some colleagues' AAD-joined computers (who are not administrators) to adjust some stuff on their behalf, and would like to remove traces of our Azure AD accounts off their computers - no real point keeping it there and with locally-cached Windows Hello for Business PIN in the TPM.
Is there a proper way to carry this out remotely via Intune MDM?
The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral
All replies (7)
Thursday, April 16, 2020 1:39 PM
Tried a PowerShell script with Remove-WmiObject for Win32_UserProfile class,
(Get-WmiObject -Class Win32_UserProfile -Filter "LocalPath LIKE '%username'") | Remove-WmiObject
While that removed the profile home folder, I found that user can still sign in with old PIN to go through another user setup process to then request for new PIN. So the process does not include an attempt/procedure to clear the TPM of PINs of gone users... hmmmm.
The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral
Friday, April 17, 2020 2:19 AM
Hello,
Thanks for posting in our TechNet forum.
Maybe you could get Azure support through the following link:
https://social.msdn.microsoft.com/Forums/en-US/home?category=windowsazureplatform
Thank you so much for your time and support.
Best regards,
Snowy Guan
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 17, 2020 8:19 AM
Hi Snowy,
It's not a raw Azure or Azure AD problem as it is about existing user accounts in a Windows client computer, and their respective local credentials (PIN) cached in the TPM.
Although yes, we'd like to be able to apply the solution remotely via Intune (like PowerShell script).
The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral
Saturday, April 18, 2020 8:34 AM
Tweaked the scenario to test behaviour with a personal Microsoft account (hotmail.com) instead of Office 365 AAD user.
Observed results
- User not required to setup Windows Hello PIN. Had to manually do so in Sign-in options.
- On removal of said Win32_UserProfile, home folder gone and old PIN unusable. Had to re-sign-in using password again and re-setup new user profile.
Hypothesis is since it's a personal Microsoft account, it only uses regular Windows Hello PIN and thus stored somewhere in user home folders or registry, unlike like Windows Hello for Business PINs stored in TPM.
In a sense, this is a more wholesome result we'd like to achieved for AAD accounts - how to get rid of the PINs in TPM?
The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral
Monday, April 20, 2020 9:19 AM
Hello,
Thank you so much for your feedback.
Since it is involved Azure AD, we suggested that we could submit a service request to Azure AD forum so that a dedicated support professional could assist us with this request.
Based on my extensive data collection and research, there might be no way to solve our issue currently. Someone encountered the same problem but there seemed to be no solution. Here are the similar cases talking about this issue, and we could kindly have a check.
https://community.spiceworks.com/topic/2167848-remove-azure-ad-profile-from-windows-device
Besides, we would like to know how to get rid of the PINs in TPM. We could have a check whether the discussion in the below thread helps.
https://social.technet.microsoft.com/Forums/fr-FR/78d92ff5-b169-4a95-bc33-79563bb084f0/remove-bitlocker-pin-requirement?forum=w7itprosecurity
Thank you so much for your understanding and support.
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best regards,
Snowy Guan
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 22, 2020 6:22 AM
Couple of things
- First thread from answers.microsoft.com is a horrifying showcase of failure in reading comprehension and situation awareness regarding what the thread starter is trying to do. That thread should never be brought to attention again since it achieves zero in trying to solve the problem.
- Second thread from spiceworks is an attempt to simply clear a corrupted Win32_UserProfile which I believe is achievable with above PowerShell script. But, they are not interested in any WHFB PIN that may be stored in the TPM.
- Third thread from TechNet is focused on removing PINs for BitLocker, not WHFB user PINS. Do they turn out to be the same thing as far as the TPM is concerned? I don't know. I haven't yet come across any details on how a TPM can/will differentiate a BitLocker PIN from a Windows account PIN. Cursory look at manage-bde cmdlet seems to indicate it's only meant for BitLocker management (thus bde = BitLocker Drive Encryption), not Windows Hello for Business.
The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral
Thursday, April 23, 2020 6:36 AM
Hello,
Thank you so much for your feedback.
So sorry that the three threads did not help. According to this thread, TPM does not support the delete operation. For more information, we could refer to the below link:
https://superuser.com/questions/1527685/how-to-remove-webauthn-credentials-from-onboard-tpm-on-win10-device
If we want to solve the problem through intune, please turn to intune forum for further assistance. Below is the forum link:
https://social.technet.microsoft.com/Forums/windows/en-US/home?category=microsoftintune
Thank you so much for your understanding and support.
Best regards,
Snowy Guan
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].