question

JCircuit13-9032 avatar image
0 Votes"
JCircuit13-9032 asked LuDaiMSFT-0289 commented

Unable to Sign in with Windows Hello

Hi All,

I'm having an issue attempting to setup Windows Hello PIN within my organization. I have attempted to configure in both GPO and MDM (Intune). I attempted both separately and together as I know there is a possiablily for conflict when configuring in both.

In GPO on both Domain Controller and local machine (attempted independently and together) I configured both:

Administrative Template > Windows Components > Windows Hello for Business > Use Windows Hello for Business = Set to Enable

and

Administrative Template > System > Logon > Turn on Convenience PIN Sign-in = Set to Enable

I also made sure policy was linked to proper OU and scope filtering was setup correctly and ran gpupdate /force after configuring (completed successfully)

Result - This enables the option to use and setup the PIN but when attempting to sign in with PIN I receive errors (I will attach errors below)

I have also attempted to configure this in Intune as well using the following configuration.

139479-iwh4bsnap.png

I have made sure both my Computer name and User is in the proper security group specified in policy and that my device was in compliance and recently checked in.

Result - again this enables the option to use and setup the PIN but when attempting to sign in with PIN I receive errors (I will attach errors below)

The Errors I'm receiving.

After Entering PIN

139544-capture1.png

After Clicking "Okay"

139524-capture2.png

Then I attempt to "Setup my PIN" and get

139509-capture3.png

I checked Event Viewer and I'm getting Audit Failure with EventID 4625 during those times

I attempted to look this up online and saw some people where having luck with taking ownership and renaming or deleting contents of the "ngc" folder located at C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft

I tried this using a local Admin account to complete this process still with no luck in resolving the issue.

Here is my window version:

139525-winversnap.png

Any help would be greatly appreciate. Please let me know if there is any additional information I can provide.

Thank you,


windows-10-generalwindows-group-policymem-intune-device-configurations
iwh4bsnap.png (49.7 KiB)
capture1.png (1017.4 KiB)
capture2.png (618.7 KiB)
capture3.png (782.0 KiB)
winversnap.png (20.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered JCircuit13-9032 commented

Convenience PINs are not the same thing as WHfB PINs. See https://support.microsoft.com/en-us/topic/254aa584-443b-ec69-c417-ee4020dc9d1d for details.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jason,

Thank you for your answer. I have already attempted running with each GPO applied independently and together. Just to confirm this I have gone back and set all GPO policies to "Not Configured", keeping only the Intune configuration policy set. Then ran gpupdate and sync to Intune again. The option to created/change the PIN is still not grayed out meaning the Intune policy is working. However, I am still getting the same error message. Also, I see in the link you posted.

"Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer Configuration\Administrative Templates\Windows Components\device registration\Register domain joined computers as devices policy enabled)."

It may be worth mentioning this PC is Azure AD-joined.

Any additional information or suggestions are greatly appreciated as this issue is still not resolved.

Thank you

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered LuDaiMSFT-0289 commented

It may be worth mentioning this PC is Azure AD-joined.

Confused on this statement. How are you applying GPOs? GPOs are unrelated to Azure AD joined systems.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Its a hybrid AD setup. I apply GPOs directly from the Domain Controller's Group Policy Management Tool. Regardless the GPOs should not be needed if there is a configuration policy setup in Intune for Windows Hello for Business. Correct?

0 Votes 0 ·

Its a hybrid AD setup

OK, that contradicts the statement I called out above then.

Correct, they shouldn't be needed, but now that you've applied them, it's possible something has gone sideways. I'd suggest testing with a device that has no WHfB specific GPOs applied and never has had any applied either.

0 Votes 0 ·

Ok, so I tested on another machine that is linked to Intune. I made sure to add it to the proper security group that is attached to the configuration profile. I also made sure it was synced to Intune afterward. Once I knew the Sync was complete I rebooted and checked settings. The PIN doesn't display as an option.
140185-image.png
140149-image.png
140283-image.png

Any ideas on where I'm going wrong?


0 Votes 0 ·
image.png (36.7 KiB)
image.png (90.2 KiB)
image.png (61.3 KiB)

Are there any updates on this issue?

0 Votes 0 ·
Show more comments