Windows Hello pin - face or fingerprint option is currently unavailable

Question

Subject: Need Help with Sign-In Options Problem

Hi everyone,

Hope you’re doing well! I’m having a problem on my company laptop where I can only sign in using my password—none of the other options work. This started after I reinstalled Windows and reused the same device name.

We’re in a hybrid setup with local domain controllers syncing with Azure. So far, I’ve tried deleting the TPM info and recreating the NGV folder, but no luck. Another user recently ran into the same issue, so it seems like this might not be a one-off problem.

I’ve looked into various fixes online, including checking group policies and registry keys, but nothing has worked. Removing my work account isn’t an option since we only have local admin accounts besides the work ones.

If anyone’s dealt with this before or has ideas on how to fix it, I’d really appreciate your help!

Thanks in advance!

Cheers,

Stavros Karnezis

Answer 1

Good morning Domic and thanks a lot for your prompt answer.

As far as I cen see from the output of the dsregcmd /status command, there are no red flags:

C:\Users\stavros.karnezis>dsregcmd /status

+----------------------------------------------------------------------+

| Device State |

+----------------------------------------------------------------------+

         AzureAdJoined : YES

      EnterpriseJoined : NO

          DomainJoined : YES

            DomainName : LUXEOPS

       Virtual Desktop : NOT SET

           Device Name : LUX-LP026.luxeops.lu

+----------------------------------------------------------------------+

| Device Details |

+----------------------------------------------------------------------+

              DeviceId : 63530c3c-1057-

            Thumbprint : C31B8DCD017787

DeviceCertificateValidity : [ 2025-11-19 05:41:26.000 UTC -- 2035-11-19 06:11:26.000 UTC ]

        KeyContainerId : 22cf3553-4ac6-

           KeyProvider : Microsoft Platform Crypto Provider

          TpmProtected : YES

      DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+

| Tenant Details |

+----------------------------------------------------------------------+

            TenantName : LUXEOps

              TenantId : 82874bf1-66a1-40c2-

           AuthCodeUrl : https://login.microsoftonline.com/82874bf1-

        AccessTokenUrl : https://login.microsoftonline.com/82874bf1-

                MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

             MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx

      MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance

           SettingsUrl :

        JoinSrvVersion : 3.0

            JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/

             JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net

         KeySrvVersion : 1.0

             KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/

              KeySrvId : urn:ms-drs:enterpriseregistration.windows.net

    WebAuthNSrvVersion : 1.0

        WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/82874bf1-66

         WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net

DeviceManagementSrvVer : 1.0

DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/82874bf1-66a

 DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

               KerbSpn : adrs/enterpriseregistration.windows.net

               KerbUrl : https://login.microsoftonline.com/82874bf1-

+----------------------------------------------------------------------+

| User State |

+----------------------------------------------------------------------+

                NgcSet : YES

              NgcKeyId : {EB9F67FE-871C-

              CanReset : NonDestructiveOnly

       WorkplaceJoined : NO

         WamDefaultSet : YES

   WamDefaultAuthority : organizations

          WamDefaultId : https://login.microsoft.com

        WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+

| SSO State |

+----------------------------------------------------------------------+

            AzureAdPrt : YES

  AzureAdPrtUpdateTime : 2026-03-30 04:57:57.000 UTC

  AzureAdPrtExpiryTime : 2026-04-13 04:57:56.000 UTC

   AzureAdPrtAuthority : https://login.microsoftonline.com/82874bf1

         EnterprisePrt : NO

EnterprisePrtAuthority :

             OnPremTgt : NO

              CloudTgt : YES

     KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+

| Diagnostic Data |

+----------------------------------------------------------------------+

    AadRecoveryEnabled : NO

Executing Account Name : LUXEOPS\Stavros.Karnezis, ******@luxeops.lu

           KeySignTest : PASSED

    DisplayNameUpdated : Managed by MDM

      OsVersionUpdated : Managed by MDM

       HostNameUpdated : YES

  Last HostName Update : NONE

+----------------------------------------------------------------------+

| IE Proxy Config for Current User |

+----------------------------------------------------------------------+

  Auto Detect Settings : YES

Auto-Configuration URL :

     Proxy Server List :

     Proxy Bypass List :

+----------------------------------------------------------------------+

| WinHttp Default Proxy Config |

+----------------------------------------------------------------------+

           Access Type : DIRECT

As I am the Azure admin as well I can reasure you that there are no stall devices.

Please let me know if you need any additional information that could help me solve the issue.

Kind regards,

Stavros Karnezis

Answer 2

Hello Stavros,

The fact that you can only sign in with a password after reinstalling Windows and reusing the same device name in a hybrid AD/Azure AD setup strongly suggests that the credential providers tied to Windows Hello for Business or smart card/TPM‑based sign‑in are failing to initialize correctly. When you reinstall Windows but reuse the same device name, the hybrid join object in Azure AD and the local domain trust can become misaligned. That mismatch prevents the system from retrieving the key material stored in the TPM or associated with the NGV folder, which explains why clearing TPM and recreating NGV didn’t help.

The key indicator here is that other sign‑in options are missing entirely. In a hybrid environment, those options are exposed only if the device is properly registered in Azure AD and the local domain controllers can validate the Windows Hello for Business keys. If the device object in Azure AD is stale or duplicated, the OS falls back to password‑only sign‑in. You can confirm this by running dsregcmd /status and checking the values under Device State. If AzureAdJoined or DomainJoined show inconsistent values, or if Ngc Prerequisite Check fails, that’s exactly why the sign‑in options are unavailable.

The supported fix is to re‑establish a clean hybrid join. That means removing the existing Azure AD device object for this machine, ensuring the local AD computer account is valid, and then re‑joining the device so that a new key pair can be provisioned in the TPM. Once the hybrid join is healthy, Windows Hello for Business will reprovision and the PIN/biometric options will reappear. Group Policy and registry tweaks won’t solve it because the underlying issue is the broken trust between the device and Azure AD.

Since you mentioned another user hit the same problem, it’s likely a systemic issue with how reinstalled devices are being re‑registered. I’d recommend checking your Intune or Azure AD device cleanup policies to ensure stale objects are removed before reusing device names. If you cannot remove the work account, you’ll need to coordinate with your Azure AD administrator to delete the stale device object and allow the machine to re‑register cleanly.

In short: the missing sign‑in options are caused by a broken hybrid join trust. Run dsregcmd /status to confirm, then re‑register the device in Azure AD to restore Windows Hello for Business functionality.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!k

Domic Vi

Answer 3

On a hybrid-joined, domain-managed device where Windows Hello for Business suddenly becomes unavailable after reinstalling Windows and reusing the same device name, focus on restoring a healthy Windows Hello/biometrics configuration and verifying that the platform requirements are met.

Use the following sequence (IT/admin steps):

1. Verify Windows Hello sign-in options are enabled

• On the device, open Settings > Accounts > Sign-in options.
• Under Manage how you sign in to your device, confirm that Windows Hello Face, Windows Hello Fingerprint, and Windows Hello PIN are present and not greyed out.
• If PIN is failing or repeatedly prompting to set up again, remove and recreate it:
  • On the lock screen, go to Sign-in options and choose to remove the PIN, then add it again. This triggers a PIN reset and can restore PIN functionality.
  • If prompted again to create a PIN after already having one, this can be due to security updates or system changes; recreate the PIN and then test Hello again.

2. Re-enroll biometrics from Windows If face or fingerprint options show but do not work:
3. Sign in with the password.
4. Go to Settings > Accounts > Sign-in options.
5. For each non-working method:
   • Remove the existing enrollment.
   • Re-enroll:
     • For fingerprint: under Fingerprint recognition (Windows Hello) select Add a finger and capture multiple angles of the finger.
     • For face: under Windows Hello Face, use Improve recognition or set up again.
6. Check biometric hardware and drivers If face/fingerprint entries are missing or show “We couldn’t find a fingerprint scanner compatible with Windows Hello Face/Fingerprint”:
7. Open Device Manager.
8. Expand Biometric devices.
9. For the camera or fingerprint sensor:
   • Right-click > Uninstall device.
   • Restart the device so Windows reinstalls the driver.
10. After restart, return to Sign-in options and check if Windows Hello Face/Fingerprint are available and working.
11. Validate platform security (VBS and isolation components) For Windows Hello Enhanced Sign-in Security scenarios:
12. Open System Information (msinfo32).
13. In System Summary, confirm Virtualization Based Security is listed as Running.
14. In System Information > Software Environment > Running Tasks, confirm bioiso.exe and ngciso.exe are running.
    • If VBS is not running or these processes are missing, the device may not meet Enhanced Sign-in Security requirements and Hello biometrics can fail.
15. Restart the Windows Biometric Service and reset PIN container If biometrics still fail:
16. In Settings > Accounts > Sign-in options, remove the PIN.
17. Open an elevated Command Prompt.
18. Run:

        net stop wbiosrvc && net start wbiosrvc
    

19. Reboot, then set up the PIN again and test Hello Face/Fingerprint.
20. Check for policy conflicts (especially in hybrid/domain) On domain-joined devices, Group Policy can block or partially break Windows Hello:

• Confirm that Interactive logon: Do not display last user name is not causing issues with facial recognition at logon. When this policy is Enabled, facial recognition logon to the domain can fail, even if PIN and fingerprint still work and face can unlock the device after sign-in.
• In Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options, set:
  • Interactive logon: Do not display last user name to Disabled (or ensure it is not enforced as Enabled via domain GPO), then test Windows Hello logon again after a reboot.

7. Surface- or device-specific checks (if applicable) If using a Surface or a device with a fingerprint power button:

• Ensure the fingerprint reader or Fingerprint Power Button LED is on and the sensor is clean and dry.
• For detachable keyboards with fingerprint readers, detach and reattach the keyboard, then test again.

8. If the issue persists across multiple users/devices Because another user in the same hybrid environment has the same problem, this may be due to a tenant-wide or domain-wide configuration (GPO, security baseline, or Hello for Business policy). In that case:

• Compare a working device’s Sign-in options, Device Manager (Biometric devices), and System Information (VBS and running tasks) with the affected devices.
• Review recent Group Policy or security baseline changes that might affect Windows Hello for Business or Enhanced Sign-in Security.
• If all local steps fail and hardware is healthy, file feedback via Feedback Hub from an affected device with logs while reproducing the failure.

---

References:

• Windows Hello Enhanced Sign-in Security
• Windows Hello common issues and troubleshooting tips
• Sign-In Options in Windows
• Troubleshoot problems with Windows Hello on Surface
• Facial recognition logon doesn't work after you apply a Group Policy setting in Windows 10