Share via

Windows Hello for Business forcing PIN setup on every login

Redda Krongpilas 20 Reputation points
2026-04-30T02:24:40.1233333+00:00

We're in a hybrid environment. A user resets their password, and now every time they lock and unlock their machine, Windows prompts them to Set up a PIN. They go through the steps, but it asks again the next day. How do I stop this loop or just disable Hello for Business entirely for this one user?

Windows for business | Windows Client for IT Pros | Directory services | User logon and profiles
0 comments

Answer accepted by question author

Domic Vo 22,685 Reputation points Independent Advisor
2026-04-30T02:39:40.1433333+00:00

Hi Redda,

This loop happens because Windows Hello for Business is still being enforced for that user, even though they complete PIN setup. The enforcement comes from either Intune device configuration or Group Policy, specifically the setting under Computer Configuration → Administrative Templates → Windows Components → Windows Hello for Business → Use Windows Hello for Business. If it’s set to “Enabled” or “Not Configured” in a hybrid environment with Azure AD join, the user will be prompted repeatedly. To stop it for a single user, you need to scope the Intune policy or GPO so that it excludes that account, or explicitly set the policy to “Disabled” for their OU or device group. On the client, you can confirm by checking HKLM\SOFTWARE\Policies\Microsoft\PassportForWork — if Enabled is set to 1, Hello is enforced. Setting it to 0 via policy will stop the PIN prompt. There’s no supported way to disable Hello for just one user without scoping policies, so the clean fix is to adjust assignment in Intune or GPO rather than trying to hack it locally.

Let me know how it works.

Domic V.

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-04-30T02:24:50.5566667+00:00

    Windows Hello for Business is designed so that, once provisioned, users must keep a PIN as the fallback credential; it cannot be disabled for a single user while still using Windows Hello for Business for that account. Disabling or hiding the PIN credential provider also disables biometrics.

    To break the loop for this user, focus on fixing the PIN/credential state rather than trying to turn off Hello for Business just for them:

    1. Have the user sign in with an alternate method (password or other configured sign-in option).
    2. From the desktop, go to Settings > Accounts > Sign-in options.
    3. Under PIN (Windows Hello), select I forgot my PIN and complete the PIN reset flow, including the required multifactor authentication.
      • This uses the Windows Hello for Business PIN reset service if configured. For Microsoft Entra hybrid joined devices, ensure the device has connectivity to domain controllers if a destructive PIN reset is being performed.
    4. Confirm that after the reset completes, the user can lock/unlock with the new PIN without being prompted to set it up again.

    If the device is Microsoft Entra joined or hybrid joined and the loop persists, verify that the correct PIN reset mode is available for the deployment model (destructive vs. nondestructive) and that any required corporate network connectivity is present, as missing connectivity can prevent the PIN container from being updated correctly and cause repeated setup prompts.

    If the organization’s goal is to avoid PIN usage entirely for this user, the only supported way is to avoid using Windows Hello for Business for that account/device (for example, by not provisioning Windows Hello for Business to that user or device via policy). Once Windows Hello for Business is in use, the PIN cannot be disabled independently.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.