How to enable Windows Hello for Business biometrics setting disabled in Hybrid Azure AD Join PC?

Question

How to enable Windows Hello for Business biometrics setting disabled in Hybrid Azure AD Join PC?

EnterpriseArchitect 6,041

based on https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#provision-windows-hello-for-business

I am troubleshooting the Hybrid Azure AD Joined device's Windows Hello for Business biometrics configuration issue.

In particular, the highlighted entries show two different results, even though the event occurred under the same log name: Microsoft-Windows-User Device Registration/Admin within the same day:

User's image

How do I fix the issue so I can begin to use my Biometrics feature on this computer?
Is this because I do not have any Windows Hello For Business policy or configuration settings in the Intune portal https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/configurationProfiles?

1 answer

Your answer

Answer 1

ZhoumingDuan-MSFT 17,165 Microsoft External Staff

@EnterpriseArchitect,Thanks for posting in Q&A.

From your description, I know that you want to enable Windows Hello for Business biometrics setting in Hybrid Azure AD environment.

According to seeing the picture you provided, I found that the machine has not applied Windows Hello for Business policy, the machine did not meet the hardware requirements and the machine is connected by Remote Desktop.

If you want to enable Biometrics feature on your computer, please refer the following steps:

1.Go to Intune admin center, create a Windows Hello for business policy to enable Biometrics feature.

https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#enable-windows-hello-for-business

2.Check the targeted device whether meet the hardware requirements.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification#hybrid-deployments

https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements

3.Please do not use Remote Desktop to connect the machine, it will not apply Windows Hello for Business policy.

Please try the above information. if there is any update, feel free to contact me.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2023-10-23T06:43:25.59+00:00

@EnterpriseArchitect,Hope you are doing well.

May I know the above information resolved your issue, if there is any update, feel free to contact me.
EnterpriseArchitect 6,041 Reputation points

2023-10-23T11:09:50.1933333+00:00

@ZhoumingDuan-MSFT ,
My computer is still not able to use the PIN and Biometrics feature, despite I have followed steps #1 and #2.

What do I miss?

EnterpriseArchitect 6,041

@ZhoumingDuan-MSFT ,
I have followed additional steps to create the Intune policy: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-the-cloud-kerberos-trust-policy

However, my device is still not able to use the PIN and biometrics features.

PS C:\WINDOWS\system32> dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES



TimeCreated             Id Event Message                                                                                                                                                                                                                         
-----------             -- -------------                                                                                                                                                                                                                         
23/10/2023 10:09:20 PM 360 Windows Hello for Business provisioning will not be launched.                                                                                                                                                                         
                           Device is AAD joined ( AADJ or DJ++ ): Yes                                                                                                                                                                                            
                           User has logged on with AAD credentials: Yes                                                                                                                                                                                          
                           Windows Hello for Business policy is enabled: No                                                                                                                                                                                      
                           Windows Hello for Business post-logon provisioning is enabled: Yes                                                                                                                                                                    
                           Local computer meets Windows hello for business hardware requirements: Yes                                                                                                                                                            
                           User is not connected to the machine via Remote Desktop: Yes                                                                                                                                                                          
                           User certificate for on premise auth policy is enabled: No                                                                                                                                                                            
                           Machine is governed by none policy.                                                                                                                                                                                                   
                           Cloud trust for on premise auth policy is enabled: No                                                                                                                                                                                 
                           User account has Cloud TGT: Not Tested                                                                                                                                                                                                
                           See https://go.microsoft.com/fwlink/?linkid=832647 for more details.                                                                                                                                                                  
23/10/2023 10:09:19 PM 360 Windows Hello for Business provisioning will not be launched.                                                                                                                                                                         
                           Device is AAD joined ( AADJ or DJ++ ): Yes                                                                                                                                                                                            
                           User has logged on with AAD credentials: Yes                                                                                                                                                                                          
                           Windows Hello for Business policy is enabled: No                                                                                                                                                                                      
                           Windows Hello for Business post-logon provisioning is enabled: Yes                                                                                                                                                                    
                           Local computer meets Windows hello for business hardware requirements: Yes                                                                                                                                                            
                           User is not connected to the machine via Remote Desktop: Yes                                                                                                                                                                          
                           User certificate for on premise auth policy is enabled: No                                                                                                                                                                            
                           Machine is governed by none policy.                                                                                                                                                                                                   
                           Cloud trust for on premise auth policy is enabled: No                                                                                                                                                                                 
                           User account has Cloud TGT: Not Tested

ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2023-10-24T07:52:18.4033333+00:00

@EnterpriseArchitect,Thanks for your reply.

From seeing the error message you provided, I found that the Windows Hello for Business policy is not enabled. Please check whether you have assigned it to devices or users group.

Thanks for your kind understanding.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2023-10-26T08:56:19.38+00:00

@EnterpriseArchitect,Hope everything is going well.

I am writing as a courtesy to follow up on this issue. May I know the status from your side please? Please feel free to let me know if you have any concerns.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-11-10T00:54:16.7533333+00:00

Hello @EnterpriseArchitect , let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Share via

How to enable Windows Hello for Business biometrics setting disabled in Hybrid Azure AD Join PC?

1 answer

Your answer