I recently upgraded to the 20H2 (October update) version of Windows 10. It has a number of nice tweaks…and one seriously annoying one. In a nutshell, it forces you (I don’t recall seeing an option not to) to enable PIN identification. Once you do, password authentication is disabled (i.e., PIN login becomes the default).
There’s nothing wrong with PINs, particularly because apparently they are stored locally on your system (presumably encrypted or as a hash) and therefore the authentication process does not involve communicating, however securely, with Microsoft to verify that you are you (which I guess passwords for Microsoft accounts did).
The problem is (a) the lack of choice over something pretty fundamental to your workflow, (b) lack of documentation of what’s going to happen when you accept the required change, and (c) the fact the change will make it impossible for you to access your desktop remotely via Remote Desktop Protocol. Which I use a lot to access my desktop from various iOS devices.
All in all not one of Microsoft’s finer hours when it comes to providing a good user experience.
There is a way to get things working again…but it’s not intuitive. In fact, some of it is counter-intuitive. However, thanx to the good people over at superuser.com and a little sweat equity I’ve restored the functionality I’m used to. Here’s what I did.
Bring up Sign-in options in Settings (you can do this by typing sign-in in the desktop search box). You’ll end up with a page looking something like this, without the red boxes:
When I first did this the Windows Hello PIN and Password options were marked as disabled and the Require Windows Hello sign-in for Microsoft Accounts was enabled/on. So I:
- Disabled Require Windows Hello sign-in for Microsoft Accounts. I did this to make sure other options, like using passwords, were available to me on the Windows login screen.
- Enabled Windows Hello PIN. This was the counter-intuitive part because it was already enabled — remember, the 20H2 upgrade required me to choose a PIN, after which that was the only way I could sign in to Windows — and I feared re-enabling it would lead to dire problems (after all, by this point I was pretty confused and angry at how Microsoft had rolled this change out). However, everything went smoothly. I had to provide a two factor authentication code Microsoft texted me (setting that up was part of being forced to switch to the PIN login) but once I did the system recognized it already had a PIN set up (duh).
- Enabled Password. This was straightforward but, sadly, did not simply re-activate the login password I’d been using previously. I had to enter a new one. Which had to conform to modern best practices, so I couldn’t use the password I’ve been using for 20 years to get into Windows (okay, okay, not a best practice; but I’m behind a heavy-duty firewall and nobody knows, or even suspects, what that password was; I’ve never been hacked, so far as I can tell). However, the overall process was smooth.
Once this was all done I could login to Windows using a PIN or a password and was able to access the system remotely from my iOS devices via RDP. Although I think I had to exit the RDP app on my iPad and re-launch it to get it to work. Success!
Too bad, though, that those, uh, fine people at Microsoft didn’t bother to explain all of this and make the process a little more straightforward.