This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Hi everyone,
I’ve recently enabled and configured Windows Hello for Business in Intune for my tenant, following the instructions provided in the official documentation. Initially, it worked as expected, but it ended up being mandatory for all users.
To make it optional, I reverted the setting under Devices > Device onboarding > Enrollment > Configure Windows Hello for Business to “Not Configured.” After that, I created a new policy under Devices > Manage devices > Configuration, where I:
Enabled Allow use of Biometrics.
Configured the character options.
Set Use Windows Hello for Business (device) to True and Use Windows Hello for Business (user) to False.
Since then, users are unable to log in using their fingerprint, face ID, or PIN. Even when I changed the setting for Use Windows Hello for Business (user) to True (to make it mandatory), it still didn’t resolve the issue.
I’ve deleted the policy I created and re-enabled Devices > Device onboarding > Enrollment > Configure Windows Hello for Business tenant-wide.
Now, on the client computers, new users are prompted to configure their PIN and fingerprint. However, after completing the configuration, they receive the message: "That option is temporarily unavailable. For now, please use a different method to sign in."
This issue is happening on several devices running both Windows 10 and Windows 11, and they are all Hybrid Azure AD-joined.
In the Event Viewer under Microsoft-Windows-User Device Registration, I do not see Event ID 362. Instead, I see the following events:
Event 360: Windows Hello for Business provisioning will not be launched.
Device is AAD joined (AADJ or DJ++): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: No
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows Hello for Business hardware requirements: Not Tested
User is not connected to the machine via Remote Desktop: Yes
User certificate for on-premises auth policy is enabled: No
Machine is governed by no policy.
Cloud trust for on-premises auth policy is enabled: No
Event 363: The Microsoft Passport key is missing.
Can anyone suggest what might be causing this issue or point me in the right direction for troubleshooting?
My objective is to enable Windows Hello for Business but to make it optional to all users.
Thank you!
Since the devices are hybrid joined, let’s first check for GPO. Do you have any conflicting policies in GPO?
The only setting i have configured In group policy related to in tune is the "enable automatic MDM enrollment using default Azure AD credentials" set to enabled
Since yesterday i have deleted the policy and configured Windows Hello for Business tenant-wide back to "not configured" but i still have users being prompted for the mandatory pin configuration.
In the previous attempts the tenant wide or via policy configuration was configured with a password length to be minimum 12 characters, but when the users are prompted to set a pin it only asks for 6 characters, meaning that the policies in intune are not being applied.