Biometrics removing itself

Question

Hi

I've pushed a GPO to a testing group enabling biometric login to Windows. You can find the settings below. The policy itself works, but every time the computer restarts or after about an hour, the fingerprint/PIN removes itself. If I turn off wifi and unplug ethernet cable, I don't have the issue as long as I don't connect to the network.

I've tested on another pc with my account, issue is not there. I've tried another user on my pc, working flawlessly as well.

I've compared all policies being pushed, but they are all the same and just mapping drives and installing printers. I have a feeling it's some corruption with my Windows profile but the bigger issue is that everyone I've tried the policy with is experiencing the same issue with their profile on their pc, leading me to believe something has been pushed in the past that's now giving issues with biometrics and I'm really not feeling like giving 300+ users a new Windows profile...

Did anyone have this issue before or does anyone know what's being kept in the user's profile for biometrics so I might be able to try to reset that first? I've done most Windows Hello troubleshooting steps I could find online including resetting the C:\Windows\System32\WinBioDatabase without any luck.

All ideas are very much welcome!

Answer 1

I recently for no reason at all started getting this on domain joined Win 10 machine (that had been working for years, no changes to GPO or AD OU structure etc):

Biometrics suddenly stopped working, so I just cleaned the database & started from scratch

I log I get success:

The Windows Biometric Service successfully enrolled ********* (S-1-5-21-4082346513-1501549782-1301224572-3058) using sensor: TouchChip Fingerprint Reader (WBF advanced mode) (USB\VID_0483&PID_2015\7&77D7852&0&2).

Then 30 min later for no reason at all I get:

The Windows Biometric Service successfully deleted a database record for ********* (S-1-5-21-4082346513-1501549782-1301224572-3058) on sensor: TouchChip Fingerprint Reader (WBF advanced mode) (USB\VID_0483&PID_2015\7&77D7852&0&2).

And I can do it again & again & again

Seb

Answer 2

Hello Jasper,

Thank you for your question and for reaching out with your question today.

It seems like you're experiencing issues with the biometric login settings applied through a Group Policy Object (GPO). While the issue is not present for other users or on other computers, it persists consistently for your user profile and other users within the testing group. Here are some suggestions to help troubleshoot and potentially resolve the problem:

1. Reset Windows Hello settings: You mentioned that you have already tried resetting the WinBioDatabase, but it may be worth attempting a more comprehensive reset of the Windows Hello settings. You can do this by following these steps: a. Open the Settings app (Windows key + I). b. Go to "Accounts" > "Sign-in options." c. Under Windows Hello, click on the biometric option you are using (e.g., Fingerprint or PIN). d. Click on "Remove" to remove the biometric or PIN data. e. Restart the computer. f. After the restart, set up the biometric or PIN login again and test if the issue persists.
2. Check for conflicting policies or settings: Review the GPOs being applied to the affected users and computers, including any other policies related to Windows Hello, biometrics, or user profiles. Look for any conflicting settings or policies that might interfere with the proper functioning of biometric login. Ensure that the policies are correctly configured and not contradicting each other.
3. Check for third-party software conflicts: If there are any third-party security or biometric software installed on the affected computers, they might be conflicting with the Windows Hello settings. Temporarily disable or uninstall any such software to see if it resolves the issue.
4. Review event logs: Check the Event Viewer on the affected computers for any relevant error or warning messages related to Windows Hello, biometrics, or user profiles. Look for any recurring patterns or specific events that coincide with the removal of biometric or PIN data.
5. User profile troubleshooting: Since the issue seems to be related to your user profile and other user profiles on the affected computers, it's worth exploring user profile troubleshooting steps. You can try creating a new local user profile on one of the affected computers and test if the biometric login works consistently for the new profile. If it does, it may indicate that there is indeed an issue specific to the user profiles. In such cases, you may need to consider further troubleshooting steps or even recreating the user profiles if necessary.

Remember to thoroughly document any changes you make during the troubleshooting process, and consider testing any proposed solutions in a controlled testing environment before applying them to production systems.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Answer 3

We currently have the same issue. When i move a computer to a new OU with new policies (none linking to any of the HELLO settings) the computer in the new OU has to reconfigure/learn its fingerprint for the user which had it already configured and working.