This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
Hello,
We are deploying WHfB to Windows 10 Pro devices, using Intune.
Devices are compatible to have this setup but users aren't getting prompted for a PIN, after the biometric is set.
The laptops that are having this issue are different models and all up-to-date.
Can we get some guidance on why this is happening?
Kind regards
The pin entry screen opens for a split second and then closes.
Hey Tom
Did you try to follow these steps?
.5. Update device drivers: Make sure that the device drivers on the laptops are up-to-date. Outdated or incompatible drivers can cause issues with WHfB functionality. Check the device manufacturer's website for the latest drivers and update accordingly.
Hi Gleb,
Thanks for the response and the steps
Is there a way to reset all WHfB settings and try again or re-apply the Configuration Policy manually?
Kind regards
Tom you can do that
1. Reset WHfB settings using PowerShell: a. Open a PowerShell window with administrative privileges. b. Run the following command to reset the WHfB settings: Get-ChildItem -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” | Remove-ItemProperty -name “"AllowDomainPINLogon" -ErrorAction SilentlyContinue c. Restart the device to apply the changes. d. After restarting, attempt to enroll with WHfB again using the desired configuration policy.
Excellent - I'll give the Powershell command a go tomorrow. Is it best targeting a user group or a machine group?
how is set up on your side?
on my side is machine group
At present, we have a user group with 5 people testing it then it will either go to all users or all devices.
I have tried the PowerShell on a laptop that is working with WHfB - what is the expected outcome if the command runs successfully?
Machines groups
Also, if you can test with a both way Win Hello apply to 5 devices and this resolution to devices as well, should help with your issue.
Hello - I tried the certutil.exe -DeleteHelloContainer in PowerhShell and that gave me the error 'NTE_NOT_FOUND)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Tom Wrigglesworth,Thanks for posting in Q&A.
From your description, I know you encountered an issue that users aren't getting prompted for a PIN, after the biometric was set.
For the issue, please try to enable windows Hello Biometric Login on the affected device manually to see if it can work. After the policy is assigned to the device group, we can log one user to sync and get the policy and go to Settings > Accounts > Sign-in Options to set the biometric. Then restart the device to see if it can work.
However, if it still failed, please collect the following information to clarify:
How did we configure the configuration policy, Is it under Identity Protection? Could you get a screen shot of the detailed configuration?
Please check the "Device status" to see if the policy is applied successfully.
Please check if the policy is assigned to device group.
Please check if there exist the errors in Event Viewer. Location: Event Viewer > Applications and Services logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
You can try to unassign the policy and reassign the policy to check whether can resolve the issue.
Please try the above suggestion and if there's anything unclear, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
We're getting users that dont have the PIN setup screen after they setup the fingerprint/face.
-- We tried that and got exactly the same issue. The finger print and face allowed the scan but then the PIN window just didn't load.
However, if it still failed, please collect the following information to clarify:
-- How did we configure the configuration policy, Is it under Identity Protection? Could you get a screen shot of the detailed configuration?
THe policy was made in Identity Protection and is targeted at a test group. The policy works for me and 2 other users, I can't find any simalarities of the users and machines.
Please check the "Device status" to see if the policy is applied successfully.
-- The Policy is showing under device status as successful
Please check if the policy is assigned to device group.
-- The group has been adjusted to remove the user having the issue and the machine has been added.
Please check if there exist the errors in Event Viewer. Location: Event Viewer > Applications and Services logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
-- I ran the process for face but got no errors or warnings in the log.
You can try to unassign the policy and reassign the policy to check whether can resolve the issue.
-- I have removed the user from the policy group and this made no impact.
Is there a way to trigger that stage of the setup manually or apply the PIN another way?
I have reset one of the machines that was having this issue, the PIN window opened up after the same user signed in.
We have 5 so far so dont want to use that as a fix, is there a way to completely reset the WHfB and PIN configs?
Tom
Can you build admin policy and add these 5 users to this policy and test?
Thank you - if I add the WHfB test group, would it disrupt users that work?
you can add same group where is this people this policy has to apply to users.
Thanks for that Gleb - I've added the users and we'll see the outcome tomorrow when they're in.
Sounds good Tom, also please make sure Hide last signed-in user its set to disabled.
Mission failed Gleb, looking at my machine (working) and a user having this issue, they have a lot of the Dell built-in applications. Is there a way to determine if other applications are causing this fault?
no is not applications, couple questions are Windows 10? its hybrid or Azure? Also is Hide last signed-in user its set to disabled. on your side?
Windows 10 is hybrid (no GPOs that would change this), we have reset a device that had the issue with a bare bones setup (All updates, Domain joined and Intune Enrolled) it then picked up the WHfB setup successfully. Hide last signed in user has not been changed so it currently on the setting it comes with.
Tom can you please share your Hello Set up
Hi - sorry for the delay. I spoke with Microsoft Support who said that WHfB doesn't work with Intune and logging in using WHfB - I have 4 users working so not sure if I've set it up wrong.
Hi all - I've spoken to the board and they want WHfB optional, that end users can setup themselves. I've spoken to the gent having this problem and he's OK going without for now. Can you advise how we can configure Intune to enable WHfB but not be mandatory?
@Tom Wrigglesworth,Thanks for your update.
Based on my research, here is some links that you can refer.
https://www.adamfowlerit.com/2020/04/windows-hello-for-business-a-less-forceful-rollout-option/
https://blog.matrixpost.net/disable-windows-hello-for-business-prompt-on-azure-ad-joined-devices/
Non-official, just for reference.
Hope this can helpful.
@Tom Wrigglesworth,Hope you have a nice day!
May I know the above information is helpful? If there is any update, feel free to let me know.
Hi @ZhoumingDuan-MSFT - this has not helped unfortunately