We use to used office 365 account with NFR provided by Tier one vendor and switched to production account after Microsoft noticed.
Today I had a PIN login problem with my PC. (Some important files or registry may be corrupted.)
So, I reset my PIN but I no longer logon to my PC.
Whenever I tried to logon to my PC, Windows Logon showed “Your organization requires you to setup your work or school account with Windows Hello …” and my desktop never appeared.
What I did next were,
- disabled logon as PIN on Group Policy -> Still required PIN and no luck
- tried to remove my “school and work account” on the Setting -> I couldn’t logon my account -> couldn’t remove it
- disconnected from Domain -> still required PIN and no luck
- checked Microsoft Endpoint Manager admin center on office.com -> we no longer have account for Intune because we terminated the previous accounts provided by Tier one vendor.
- checked Azure AD admin center – Devices -> I found most of our device status are joined Azure AD as “Hybrid Azure AD join”
Through my work above I found the cause.
That is,
- “Hybrid Azure AD join” requires PIN but we don’t have MS Endpoint Manager admin rights so we can’t change the policy.
- even I changed the PIN, disabled PIN on Group Policy, PIN requirement is still controlled by MS Endpoint (Intune).
Work around are,
- delete my Desktop PC Name from Azure Devices
- logon my pc with local admin account (.\owner)
- add “school and work account” on my PC -> now Join Type has been changed from “Hybrid AD join” to “Azure AD registered”.
- join my PC to our local Domain
- logon to my pc with my Domain account (domain\user name) ->OK!
- control panel – Task Scheduler – Microsoft – Windows – Workplace Join – Automatic-Device-Join -> “Disabled”
- run command “dsregcmd.exe /debug /leave” and reboot PC
I took half a day to solve this issue.
It was a nice weekend.