This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 85%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hello,
I am working on enabling Windows Hello for Business and I am running into an issue with the "Require Security Device" policy. My devices are running Windows 11 22H2 with the TPM 2.0 modules enabled, and I have enabled cloud trust. According to this MS article, I should enable these policies from the Settings Catalog and deploy them to my devices or users (I have it deployed to a device group.)
After sending the policy to my test group, Intune is reporting an error with the Require Security Device policy on some devices as it is not compliant.
Also I have noticed on at least one machine, the results will flip between compliant and not compliant. I validated the TPM module is visible to Windows and I cannot find any issues with it. Despite this, I created a Windows Hello configuration policy using the Identity Protection template and and deployed to the same device group. My testers were able to enroll in Windows Hello for Business and it works fine as I understand Windows will provision Windows Hello using software as opposed to the TPM if it is unavailable or not functioning but I don't understand why this is happening to begin with. Thanks in advance.
Update: After posting, I checked the HelloForBusiness event log on my PC and I noticed these two events which may explain the policy is succeeding or failing though I haven't come across this before. I think this might be driver related but I am fairly sure that I am up to date. I'll do a driver check and post back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Mike G Is there anything we can help? If yes, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 81%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB6%3C/text%3E%3C/svg%3E)
Hello Mike, I'm seeing the same behavior with Win 10 22h2 and Win 11 22h2 devices in two separate tenants and am wondering if you have determined the cause.
In the registry, "RequireSecurityDevice" will sometimes appear under the device and then flip to under the UserSID, even though the configuration profile in Intune is assigned to the device.
HKLM\SOFTWARE\Microsoft\Policies\PassportForWork<GUID>\Device\Policies
HKLM\SOFTWARE\Microsoft\Policies\PassportForWork<GUID><UserSID>\Policies
I believe Intune is reporting what is occurring on the devices properly, but I'm not sure what is causing the setting to flip-flop on the devices.