Configure Windows Hllo for Business for Windows 365 cloud PCs and Azure Virtual Desktop

Question

Configure Windows Hllo for Business for Windows 365 cloud PCs and Azure Virtual Desktop

Prabhjot Singh 255

Hi Team,

I'm trying to set up Windows Hello for Business on my Windows 365 Cloud PC and Azure Virtual Desktop (AVD).

At the organization level, Windows Hello for Business is enabled, and it works fine on my physical device.

However, when I use the same account to log into my Cloud PC or AVD, it asks for my password and fingerprint.

The password works fine,

But the fingerprint login doesn't work on the Cloud PC or AVD.

Could you please provide step-by-step instructions to configure Windows Hello for Business (Fingerprint and PIN) for these scenarios:

Cloud-only joined machines
Hybrid Azure AD joined machines
Entra ID joined machines

Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-04T13:24:43.5866667+00:00

Hello Prabhjot Singh,

To Enable PIN and Fingerprint for AVD or Cloud PC

First, open the Intune portal [ https://intune.microsoft.com/]and then navigate to Devices > Configuration. Once the configuration page is opened, click on Create Policy and select the Platform as Windows 10 and later and Profile type as Settings catalog, then click on Create.

After that, it will open the Basics tab. Fill in the name of the policy and click Next. Then it will open the Configuration tab. In the Configuration tab, click on Add Settings, then search for Windows Hello for Business.

After that, select the following settings:

Allow Use of Biometrics

Digits

Maximum PIN Length

Minimum PIN Length

Require Security Device

Use Windows Hello for Business (Device)

Use windows Hello for Business (User)

Then click on Next.

It will navigate to the Assignments tab. Under Assignments, you can assign to Users, Groups, or Devices. You can include or exclude any device, user, or group based on your requirement by using a filter. Refer to the screenshot below for fee.
Once the policy is created, verify it on the device. Make sure the device is Azure AD joined. To check this run the following command in PowerShell
dsregcmd /status
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-05T09:58:09.75+00:00

Hi Prabhjot Singh

I would like to follow up if the below provided comment is helpful. If not, please share more details of where you stuck so we can help you.
Prabhjot Singh 255 Reputation points

2025-06-05T10:13:43.4733333+00:00

Hi @Mallikarjuna Vardham , I have configured the policy as given above, applied to both user and device. Now, when executing dsregcmd /status cmd, Ncgset is still set to No and device is entra joined.

Under Settings -> Accounts ->Ways to Sign-in, PIN option is not visible.
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-05T12:24:36.2866667+00:00
Hi Prabhjot Singh

This means Windows Hello for Business (WHfB) is not provisioned on the device for the user, which is why the PIN option is not visible under Settings > Accounts > Sign-in options.

Verify configuration profile in Intune > Settings to include:

Use Windows Hello for Business = Enabled

Use biometrics = Enabled

(Optional) PIN complexity settings

Assignments include:

Target user and device

Restart the device and check logs:

Run: eventvwr.msc

Go to Applications and Services Logs > Microsoft > Windows > HelloForBusiness > Operational

Look for errors related to PIN or WHfB provisioning.

2 answers

Your answer

Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-04T13:24:43.5866667+00:00

Hello Prabhjot Singh,

To Enable PIN and Fingerprint for AVD or Cloud PC

First, open the Intune portal [ https://intune.microsoft.com/]and then navigate to Devices > Configuration. Once the configuration page is opened, click on Create Policy and select the Platform as Windows 10 and later and Profile type as Settings catalog, then click on Create.

After that, it will open the Basics tab. Fill in the name of the policy and click Next. Then it will open the Configuration tab. In the Configuration tab, click on Add Settings, then search for Windows Hello for Business.

After that, select the following settings:

Allow Use of Biometrics

Digits

Maximum PIN Length

Minimum PIN Length

Require Security Device

Use Windows Hello for Business (Device)

Use windows Hello for Business (User)

Then click on Next.

It will navigate to the Assignments tab. Under Assignments, you can assign to Users, Groups, or Devices. You can include or exclude any device, user, or group based on your requirement by using a filter. Refer to the screenshot below for fee.
Once the policy is created, verify it on the device. Make sure the device is Azure AD joined. To check this run the following command in PowerShell
dsregcmd /status
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-05T09:58:09.75+00:00

Hi Prabhjot Singh

I would like to follow up if the below provided comment is helpful. If not, please share more details of where you stuck so we can help you.
Prabhjot Singh 255 Reputation points

2025-06-05T10:13:43.4733333+00:00

Hi @Mallikarjuna Vardham , I have configured the policy as given above, applied to both user and device. Now, when executing dsregcmd /status cmd, Ncgset is still set to No and device is entra joined.

Under Settings -> Accounts ->Ways to Sign-in, PIN option is not visible.
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-05T12:24:36.2866667+00:00

Hi Prabhjot Singh

This means Windows Hello for Business (WHfB) is not provisioned on the device for the user, which is why the PIN option is not visible under Settings > Accounts > Sign-in options.

Verify configuration profile in Intune > Settings to include:

Use Windows Hello for Business = Enabled

Use biometrics = Enabled

(Optional) PIN complexity settings

Assignments include:

Target user and device

Restart the device and check logs:

Run: eventvwr.msc

Go to Applications and Services Logs > Microsoft > Windows > HelloForBusiness > Operational

Look for errors related to PIN or WHfB provisioning.

Answer 1

Alex Burlachenko 11,610

hi there Prabhjot Singh, thanks for throwing this question out there )) windows hello for business is awesome but yes, cloud pcs and avd can be tricky with biometrics.

windows hello for business on cloud pcs and avd doesn't support fingerprint or facial recognition directly. why? because u're not physically touching the device )) but PIN login? that works!

for cloud-only joined machines

make sure windows hello for business is enabled in entra id. u can check this in the microsoft entra admin center under identity > authentication methods > authentication method policy. here's the microsoft doc for review if u like.
on the cloud pc, go to settings > accounts > sign-in options. if everything's set right, u should see 'windows hello pin' as an option. just set it up like normal.

for hybrid azure ad joined machines, this one's a bit more involved. u need to make sure group policy isn't blocking it. check the policy under computer configuration > administrative templates > windows components > windows hello for business. set 'use windows hello for business' to enabled. microsoft's got a full guide on this. oh and dont forget, the cloud pc needs line of sight to the domain controller for hybrid join to work right.

for entra id joined machines: this is the easiest one. just enable windows hello for business in the authentication methods policy like before. the cloud pc will pick it up automatically when u sign in. if it doesn't, try rebooting (classic fix, i know :)). fingerprint won't work on cloud pcs or avd because the biometric sensor isn't virtualized. but PIN? yes! and its just as secure.

MSFT docs explain it deeper here. hope this helps////

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/

Prabhjot Singh 255 Reputation points

2025-06-05T10:16:05.89+00:00

Hi @Alex Burlachenko , Thanks for the details as given, I have covered most of the steps, but still PIN option is not visible. Could you please help me to configure PIN for Windows 365 cloud PC? Facing the issue.
Alex Burlachenko 11,610 Reputation points

2025-06-05T11:05:43.26+00:00
aha, got it! ok let me help u to configure PIN for Windows 365 cloud pc and lets see what tp do if the PIN option is still missing on your Windows 365 cloud pc

first, check these basics, make sure WHfB is enabled in Entra ID. go to Entra admin center > Protection > Authentication methods > Policies. under Windows Hello for Business, set it to Enabled. MSFT doc

verify the user is allowed to use WHfB, same place as above, check if the policy applies to All users or a specific group. if u’re in the right group, cool. if not, add yourself )) check if the cloud pc is properly registered

sometimes, the device needs a fresh sync. open cmd on the cloud pc and run

dsregcmd /status look for AzureAdJoined: YES and DomainJoined: NO (if it’s cloud-only). if not, reboot and check again. if still no PIN, force a policy refresh, open Command Prompt as admin and run gpupdate /force ..... then restart the cloud pc. policies can be stubborn sometimes ))

manual registry tweak (if policies are stuck), careful with this one! only do it if nothing else works. open Registry Editor (regedit). go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork

if PassportForWork key doesn’t exist, create it.

inside, create a new DWORD (32-bit) value named Enabled and set it to 1.

reboot.

still nothing? try a fresh Intune policy....

if your org uses Intune, push a new Windows Hello for Business policy go to Intune admin center > Devices > Configuration profiles > Create new policy. pick Windows 10 and later > Identity Protection > enable Configure Windows Hello for Business. assign it to your cloud pc or user group.

give it some time (like 15-30 mins), then restart and check again. sometimes the cloud just needs a sec to catch up ))

if it’s STILL not showing up… hit me back, and we’ll dig deeper! microsoft’s full WHfB guide has more better options, but let’s hope it doesn’t come to that :))

good luck

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx. P.S. If my answer help to you, please Accept my answer ))) PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/
Prabhjot Singh 255 Reputation points

2025-06-06T12:11:20.27+00:00

Hi Alex Burlachenko, No luck so far. Could you please let me know if TPM is supported for AVD machines with a host pool type set to Personal? Is there any configuration or step that I might be missing?
Alex Burlachenko 11,610 Reputation points

2025-06-06T13:22:11.4366667+00:00

Hi, quickly answering to u question...
Does AVD (Persona) support tpm for windows hello? Nope, not directly. AVD (Personal or Pooled) runs on shared Azure VMs, and Microsoft doesn’t expose virtual TPM (vTPM) to session hosts by default. Windows Hello for Business (WHfB) relies on TPM for PIN/biometric security. No TPM = No WHfB PIN/Fingerprint. Physical TPM isn’t an option since AVD is virtual, u can’t slap a hardware chip in the cloud )) Microsoft’s official stance is here under Authentication limitations.

But, there’s a workaround... If u absolutely need PIN login on AVD, u can use Certificate Trust or Key Trust models instead of TPM. Hybrid Azure AD Join + WHfB Key Trust. this bypasses TPM by using on-prem AD + Azure AD sync. Onprem domain controller (for Kerberos auth). Azure AD Connect syncing properly, Group Policy forcing WHfB in Key Trust mode.

Computer Config > Admin Templates > Windows Components > Windows Hello for Business > "Use Windows Hello for Business" = Enabled > 'Use certificate trust' = Disabled (forces Key Trust), Run gpupdate /force and reboot AVD VM. Full guide here

Cloud-Only WHfB with Software-Based PIN (No TPM). Not officially recommended (less secure), but possible via registry hack, open regedit on AVD VM (admin rights needed). HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork

Create a DWORD named RequireSecurityDevice = 0 (allows PIN without TPM). Reboot. (Warning: This weakens security! Only for testing.)

additional story about Windows 365 cloud pc, so windows 365 Enterprise (not AVD) DOES support vTPM!

If WHfB PIN isn’t showing, check for Entra ID WHfB policy (must be Enabled). Intune policy (if used) isn’t blocking it. User license includes Windows 10/11 Enterprise (required for WHfB).

summ, AVD Personal Host Pool? No WHfB with TPM. Use password or smartcard. win 365 cloud pc? Yes, if policies are set right. Workarounds? Key Trust (Hybrid) or registry tweak (less secure).

If u still hit a wall, try raising a Microsoft support ticket.... sometimes their backend configs need a nudge ))

rgds,

Alex
Alex Burlachenko 11,610 Reputation points

2025-06-08T11:58:17.39+00:00

Prabhjot Singh hey hey,how its going? any news of urs issue?

my best regards,

Alex
Alex Burlachenko 11,610 Reputation points

2025-06-09T09:22:57.91+00:00

Prabhjot Singh hey hey,how its going? any news of urs issue?

my best regards,

Alex

Answer 2

Deepthi R 25 Microsoft External Staff Moderator

Hi Prabhjot Singh,

To enable Windows Hello for Business (PIN and fingerprint login) for Azure Virtual Desktop (AVD) or Windows 365 Cloud PC, follow these steps for both Cloud-only joined machines and Entra ID joined machines.

Go to https://intune.microsoft.com/ -> Devices > Windows > Manage device -> Configuration -> click create for new policy -> choose platform as Windows 10 and later and profile type as Settings catalog and click Create

User's image

next Configure Settings: Search for Windows Hello for Business and enable the following:

    -   Use Windows Hello for Business (Device) -> Enabled
    -   Use Windows Hello for Business (User) -> Enabled
    -   Use biometrics -> Enabled       
    -   Maximum PIN Length
    -   Minimum PIN Length
    -   Use a Trusted Platform Module (TPM) -> Enabled
    -   Use PIN sign-in -> Enabled
        and any others as per your requirement.

Scope: default
Assign to: Device or user group that includes your Cloud PCs or AVD session hosts.
Review and create to deploy the WHFB.

To verify, login to the AVD or Cloud PC ->Open Settings > Accounts > Sign-in options

You should now see: **PIN (Windows Hello) ** and Fingerprint Recognition (if the device has biometric hardware).
Run command dsregcmd /status in PowerShell or cmd to see device state and other details.

For Hybrid Azure AD Joined Machines:

Use Group Policy (GPO) or Intune Co-management

reference: Plan a Windows Hello for Business Deployment | Microsoft Learn

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

User's image

Prabhjot Singh 255 Reputation points

2025-06-06T12:08:29.7966667+00:00

Hi Deepthi R, I haven’t had any success on my AVD machine with a host pool type set to Personal, even after configuring the required settings. Please let me know if there are any additional settings needed for Entra-joined AVD machines.
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-06T15:23:48.9233333+00:00

Hi Prabhjot Singh

Windows Hello for Business is not supported on Entra ID joined AVD session hosts in a personal host pool; to use it, you must either switch to a pooled host pool or use hybrid Azure AD join with the personal pool, along with enabling vTPM, using Windows 11, and configuring policies via Intune or Group Policy.
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-11T15:29:09.1433333+00:00

Hi Prabhjot Singh,

Just following up if the above response if helpful. if you still looking for any assistance, feel free to reach us.
Prabhjot Singh 255 Reputation points

2025-06-17T15:29:27.2833333+00:00

Hi @Anonymous and @Alex Burlachenko , I have configured a local machine that is Entra joined to the same tenant as my Azure Virtual Desktop (AVD) session hosts. On the local machine, Windows Hello for Business (WHfB) PIN works correctly. However, when the same user tries to access an AVD machine using their PIN, it fails. Is there an official Microsoft document explaining why WHfB PIN does not work for Entra-joined devices in Azure Virtual Desktop?
Deepthi R 25 Reputation points Microsoft External Staff Moderator

2025-06-18T13:29:23.79+00:00

Hi Prabhjot Singh,

Unfortunately, we don't find any Microsoft document that concludes whether Windows hello for business supports or not, but there are other members reported the same issue. You may refer below document for the same.

https://learn.microsoft.com/en-us/answers/questions/1017760/windows-hello-for-business-and-azure-virtual-deskt

Share via

Configure Windows Hllo for Business for Windows 365 cloud PCs and Azure Virtual Desktop

2 answers

Your answer