On my side this link https://www.ibm.com/support/pages/node/7241360 given by @Chen Tran resolved my problem.
Thanks.
How to Fix Windows Hello for Business error code 0x80090010
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 36%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
Zack
10
Reputation points
We have been having issues when new users (some old users) try to add their Face Recognition and PIN for windows hello it comes up with this error message.
I have done research and it says it is caused by the July 2025 Windows Update, so I uninstalled that then I cleared the tpm. It worked for a while however it then started happening again after an hour. Is there any fix for this yet?
Windows for business | Windows 365 Business
{count} votes
-
Zack 10 Reputation points
2025-08-19T08:36:46.0033333+00:00 I found a fix,
- Go to Reg Editor go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies.
- Create a key called "PassportForWork" (if already there go to Step 6) Within the key create a new DWORD called UserPassportForWork
- Restart the computer.
- Once logged in, access Regedit again and check whether additional folders, such as eg, s1-5-3.. were created.
- If this is the case. Remove the DWORD called UserPassportForWork from the PassportForWork Access each of the subkeys created in PassportForWork and then access the key named “Policies” in each of them.
- For each of the keys, alter the UserPassportForWork in all Folders under Policies value from 0 to 1. Make sure to also do Device>Policy as well, which should then properly set up the Windows Hello PIN and Camera.
- Then make the user a Local Administrator by going to “Computer Management” (run as administrator)
- Then Reboot, and check if you can add the users Windows Hello. If so then remove the local administrator rights to the user.
- If still not working Repeat step 6 but logged in with the Users account, reboot then try again.
Sign in to comment
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 3%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOM%3C/text%3E%3C/svg%3E)
Oliveri Michaël 16 Reputation points2025-09-03T10:01:18.45+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 18%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Andrew Leech 0 Reputation points2025-09-25T03:28:19.2466667+00:00 On that link the text says to locate/update UserPassortForWork but the screenshot shows UsePassortForWork (Use vs User) - did you update the existing key or add a new one?
-
Oliveri Michaël 16 Reputation points
2025-09-25T07:18:14.2733333+00:00 Mistake in the text. The good one is the one in the screenshot : UsePassportForWork
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Chen Tran 4,785 Reputation points Independent Advisor2025-08-05T10:42:12.9766667+00:00 Hello Zack,
Thank you for posting question on Microsoft Windows Forum.
Based on your issue description as well as the provided error code 0x80090010 which typically translates to NTE_PERM and indicates a permissions issue with the cryptographic key container. In this context, the July 2025 update appears to cause a corruption or otherwise prevents Windows from properly accessing the Ngc (Next Generation Cryptography) folder, which is where PIN and biometric data are securely stored. Clearing the TPM or the Ngc folder forces a recreation of this container, which works until the faulty update logic interferes again.
Your action of uninstalling the update and clearing the TPM provides a temporary fix because it removed the trigger (the faulty update) and reset the security container. The reason it failed after an hour is highly probably of because Windows automatically reinstalled the problematic update in the background. The following steps are a temporary workaround for the issue.
1.Pause Windows Updates.
- Go to Settings > Update & Security > Windows Update.
- Click on Advanced options.
- Under the Pause updates section, select a date as far into the future as possible (usually up to 35 days). This will give Microsoft time to release a fix, which typically arrives with the next month's "Patch Tuesday" update.
2.Uninstall the Problematic Update.
- If the update has reinstalled itself, you need to remove it again.
- In Settings > Update & Security > Windows Update, click View update history.
- Click Uninstall updates.
- In the Control Panel window that opens, look for the update installed in July 2025. It will likely be named "Security Update for Microsoft Windows (KBXXXXXXX)" or "Cumulative Update for Windows (KBXXXXXXX)".
- Select it and click Uninstall.
- Restart your computer when prompted.
By pausing your updates for a few weeks, you allow time for the official permanent fix to be released from Microsoft. Once you hear news that a patch is available, you can resume updates and install the new (fixed) cumulative update. You can check for news on the Windows Release Health dashboard or major tech news sites.
You can refer to the following article for more information regarding the error code.
Hope the above information is helpful!
-
Zack 10 Reputation points
2025-08-05T15:41:59.73+00:00 Hi Chen,
Thank you for the suggestion, however I have tried this on 1 machine (it worked) however when I try it on a different machine (including Pausing the update) it works temporarily until Entra connects again. Any other suggestions?
-
Chen Tran 4,785 Reputation points Independent Advisor
2025-08-06T05:55:50.9066667+00:00 Hi Zack,
Thank you for your information! Given such scenario, it is advisable to wait for the permanent fix (patch or update) to be released from Microsoft.
Meanwhile, I have found an article directly addressing the error code 0x80090010 relating to Windows Hello PIN setup. As this is a third-party article. Any attempt to follow the instructed steps should be carried out in a testing environment first.
Sign in to comment -
Zack 10 Reputation points
2025-08-19T08:34:52.2266667+00:00 I found a fix,
- Go to Reg Editor go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies.
- Create a key called "PassportForWork" (if already there go to Step 6) Within the key create a new DWORD called UserPassportForWork
- Restart the computer.
- Once logged in, access Regedit again and check whether additional folders, such as eg, s1-5-3.. were created.
- If this is the case. Remove the DWORD called UserPassportForWork from the PassportForWork Access each of the subkeys created in PassportForWork and then access the key named “Policies” in each of them.
- For each of the keys, alter the UserPassportForWork in all Folders under Policies value from 0 to 1. Make sure to also do Device>Policy as well, which should then properly set up the Windows Hello PIN and Camera.
- Then make the user a Local Administrator by going to “Computer Management” (run as administrator)
- Then Reboot, and check if you can add the users Windows Hello. If so then remove the local administrator rights to the user.
- If still not working Repeat step 6 but logged in with the Users account, reboot then try again.
-
Chen Tran 4,785 Reputation points Independent Advisor
2025-08-19T09:27:12.0233333+00:00 Hi Zack,
I am very happy to learn that you have eventually fixed the issue.
In case, you refer to the article https://www.ibm.com/support/pages/node/7241360 that I have posted in the comment responding to your question, might have provided you some clues or helpful hints to resolve the issue. You can consider marking it as correct answer to help others in the Windows community to find the same workaround more effectively and easily.
Have a nice day!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 87%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sadjad Davila 0 Reputation points2025-08-20T12:59:58.1333333+00:00 What if I already have "PassportForWork", should I remove it and then create a new one?
I even have folder under "PassportForWork" with biometrics and such.Best Regards,
Sadjad
Sign in to comment -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 28.999999999999996%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
sumesh 0 Reputation points2025-08-13T06:15:40.3266667+00:00 In the July patch, the tenant wide WHfB settings seems to take precedence over the user CSP WHfB policies. Even if WhfB is enabled via the user CSP, the global setting to disable WhfB will block pin setup. To Fix: Configure WHfB using the device CSP policy instead of the use CSP