Share via

Windows Hello for Business "Reuse PIN" Policy Not Working

Dwiponggo Bawono 0 Reputation points
2025-02-25T05:50:23.2133333+00:00

Hello All,

We are facing an issue with the Windows Hello for Business "Reuse PIN" policy not working as expected. Below are the details of our configuration and troubleshooting steps:

Issue:

We have configured an Account Protection Policy via Microsoft Intune to enforce Windows Hello PIN settings. While most settings are applied successfully, the PIN history restriction does not work. Our requirement is to prevent users from reusing the last 5 PINs when they change their PIN. However, users can still reuse their previous PINs despite the policy.

Troubleshooting Steps Taken:

✅ Verified policy assignment report in Intune – The policy is successfully deployed. ✅ Checked the registry key on affected devices:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity

The History value is correctly set to 5. ✅ Ensured that the devices have synced properly with Intune. ✅ Tested on multiple devices, but users can still reuse old PINs.

Expected Behavior:

The PIN history policy should prevent users from reusing their last 5 PINs when changing their PIN.

Additional Information:

We have already raised a support ticket with Microsoft 365 Support (Intune Team) regarding this issue. Based on their investigation: ✅ The policy has been successfully deployed to devices. ✅ The registry values are correctly set as per the policy. ✅ No issues were found on the Intune configuration side.

ImageImage

Given this, their suspect the issue might be related to Windows enforcement on the device itself rather than the policy deployment.

Questions:

Is there any known issue with enforcing PIN history in Windows Hello for Business?

Are there additional configurations required apart from setting the PINComplexity\History registry value?

Are there logs or troubleshooting steps to check why this policy is not being enforced?

Has anyone else experienced this issue before? If so, how was it resolved?

Any insights or guidance would be greatly appreciated!

Best regards,

d.bawono

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Benjamin Solis Nolasco 3,511 Reputation points
    2025-02-25T20:18:16+00:00

    The last time I experienced this issue we resolved it re-login Microsoft account on the user computer also removing the ping then registering again (Last step in this guide) but this is not the best solution for a large environment

    I will share the step I did a long time ago I hope this work for you while Intune Team works on the ticket.

    Check if Windows Hello for Business is Hybrid or Cloud-Only

    • If the environment is Hybrid Azure AD Joined, there may be GPO vs. Intune conflicts.
    • Run this PowerShell command to check the join status:
    powershell
CopyEdit
dsregcmd /status
    • If both "AzureADJoined" and "DomainJoined" are YES, verify that there’s no conflicting GPO controlling PIN settings.

    Confirm PIN Reset Flow and Try Enforcing PIN Reset via PowerShell

    If users are changing their PIN outside the standard Windows Hello for Business flow, PIN history enforcement may not be applied correctly.

    Force PIN reset via PowerShell:

    powershell
CopyEdit
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork" -Name "PINComplexity" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity" -Name "History" -Value 5 -Type DWord
gpupdate /force

    Then restart the system and test again.

    Check Windows Hello for Business Credentials Storage

    Sometimes, credential caching can bypass PIN history enforcement. Clear Windows Hello credentials and re-register:

    1. Open Settings > Accounts > Sign-in options.
    2. Under Windows Hello PIN, select Remove.
    3. Restart and set up a new PIN. Check if Windows Hello for Business is Hybrid or Cloud-Only
      • If the environment is Hybrid Azure AD Joined, there may be GPO vs. Intune conflicts.
      • Run this PowerShell command to check the join status: 
             powershell
     CopyEdit
     dsregcmd /status
      • If both "AzureADJoined" and "DomainJoined" are YES, verify that there’s no conflicting GPO controlling PIN settings.
      Confirm PIN Reset Flow and Try Enforcing PIN Reset via PowerShell If users are changing their PIN outside the standard Windows Hello for Business flow, PIN history enforcement may not be applied correctly. Force PIN reset via PowerShell: 
         powershell
   CopyEdit
   New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork" -Name "PINComplexity" -Force

    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity" -Name "History" -Value 5 -Type DWord gpupdate /force

       
   Then restart the system and test again.
   
    **Check Windows Hello for Business Credentials Storage**
   
   Sometimes, credential caching can bypass PIN history enforcement.
   
    **Clear Windows Hello credentials and re-register:**
   
   1. Open **Settings > Accounts > Sign-in options**.
   
   1. Under **Windows Hello PIN**, select **Remove**.
   
   1. Restart and set up a new PIN.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.