This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 6%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi All,
I'm having an issue attempting to setup Windows Hello PIN within my organization. I have attempted to configure in both GPO and MDM (Intune). I attempted both separately and together as I know there is a possiablily for conflict when configuring in both.
In GPO on both Domain Controller and local machine (attempted independently and together) I configured both:
Administrative Template > Windows Components > Windows Hello for Business > Use Windows Hello for Business = Set to Enable
and
Administrative Template > System > Logon > Turn on Convenience PIN Sign-in = Set to Enable
I also made sure policy was linked to proper OU and scope filtering was setup correctly and ran gpupdate /force after configuring (completed successfully)
Result - This enables the option to use and setup the PIN but when attempting to sign in with PIN I receive errors (I will attach errors below)
I have also attempted to configure this in Intune as well using the following configuration.
I have made sure both my Computer name and User is in the proper security group specified in policy and that my device was in compliance and recently checked in.
Result - again this enables the option to use and setup the PIN but when attempting to sign in with PIN I receive errors (I will attach errors below)
The Errors I'm receiving.
After Entering PIN
After Clicking "Okay"
Then I attempt to "Setup my PIN" and get
I checked Event Viewer and I'm getting Audit Failure with EventID 4625 during those times
I attempted to look this up online and saw some people where having luck with taking ownership and renaming or deleting contents of the "ngc" folder located at C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft
I tried this using a local Admin account to complete this process still with no luck in resolving the issue.
Here is my window version:
Any help would be greatly appreciate. Please let me know if there is any additional information I can provide.
Thank you,
Convenience PINs are not the same thing as WHfB PINs. See https://support.microsoft.com/en-us/topic/254aa584-443b-ec69-c417-ee4020dc9d1d for details.
Hi Jason,
Thank you for your answer. I have already attempted running with each GPO applied independently and together. Just to confirm this I have gone back and set all GPO policies to "Not Configured", keeping only the Intune configuration policy set. Then ran gpupdate and sync to Intune again. The option to created/change the PIN is still not grayed out meaning the Intune policy is working. However, I am still getting the same error message. Also, I see in the link you posted.
"Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer Configuration\Administrative Templates\Windows Components\device registration\Register domain joined computers as devices policy enabled)."
It may be worth mentioning this PC is Azure AD-joined.
Any additional information or suggestions are greatly appreciated as this issue is still not resolved.
Thank you
It may be worth mentioning this PC is Azure AD-joined.
Confused on this statement. How are you applying GPOs? GPOs are unrelated to Azure AD joined systems.
Its a hybrid AD setup. I apply GPOs directly from the Domain Controller's Group Policy Management Tool. Regardless the GPOs should not be needed if there is a configuration policy setup in Intune for Windows Hello for Business. Correct?
Its a hybrid AD setup
OK, that contradicts the statement I called out above then.
Correct, they shouldn't be needed, but now that you've applied them, it's possible something has gone sideways. I'd suggest testing with a device that has no WHfB specific GPOs applied and never has had any applied either.
Ok, so I tested on another machine that is linked to Intune. I made sure to add it to the proper security group that is attached to the configuration profile. I also made sure it was synced to Intune afterward. Once I knew the Sync was complete I rebooted and checked settings. The PIN doesn't display as an option.
Any ideas on where I'm going wrong?
Are there any updates on this issue?
@JCircuit13 To clarify this issue, did you mean that the setting "Windows hello PIN" is missing when you set windows hello for business via intune?
For this issue, I have done the test in my lab. I deploy the same configuration profile to my device group and
the Deployment Status shows succeeded. When I check the "Sign-in options", the options display normally.
To get accurate help, it is better to create an online support ticket to find the root cause. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/get-support
Hope everything goes well with you.