If you’re getting the problem of Windows Hello for Business stopped working on Windows 11 or 10, in this guide, we’ll see how you can fix it.
Consider a scenario, you are starting to implement Windows Hello for Business and you have set it as a GPO, it’s been working fine and you’re onboarding users as you add them to the OU that has the GPO in it. You run the gpupdate/force, restart and the provisioning screen shows up fine for Windows 11 and Windows 10 users, and they get enrolled, all good. You have the cloud trust counterpart policy on Intune. It happened recently that 2 users failed to input the correct PIN a couple of times and WHfB became unavailable now. Also, the Windows Settings Sign-In options for them are all greyed out, they can’t change PIN, Add finger or remove sign-in option. One of the users said that after working from home, connected to the office VPN one day, and working from the office the other day it started working again.
Now you’ll wonder what is the pattern for this to become unavailable and not work until it pings the DC again if there is any. Is it possible to run a command or change a registry setting to force them to enroll in WHfB again since the buttons are unavailable? After some time/restarts the buttons might be available and you may be able to change the PIN and add a fingerprint. But how to fix this issue permanently, let’s see some advice.
Page Contents
Fix: Windows Hello for Business stopped working
When implementing Windows Hello for Business (WHfB), it’s important to understand the behavior and troubleshooting options. Here are some insights and suggestions for the issues you’ve described:
Option 1: Retry timeout for PIN attempts
By default, there is a retry timeout for PIN attempts. If a user fails to input the correct PIN several times, WHfB may become temporarily unavailable.
The exact timeout duration can vary depending on the policy settings configured in the GPO.
This behavior is in place to protect against brute-force attacks.
Option 2: Greyed-out Sign-In options
When WHfB becomes temporarily unavailable due to repeated PIN failures, the Sign-In options in Windows Settings can be greyed out, preventing users from changing the PIN, adding fingerprints, or modifying the sign-in options.
This is an expected behavior during the temporary lockout period.
Option 3: Connectivity and sync with the domain controller
In some cases, WHfB availability and functionality can be affected by connectivity issues or synchronization delays with the domain controller.
In your case, the user experiencing the issue reported that it started working again after connecting to the office VPN or working from the office.
This suggests that the synchronization with the domain controller or network connectivity may have played a role in resolving the issue.
Option 4: Enrolling in WHfB again
To force users to re-enroll in WHfB, you can try the following steps:
- Open an elevated Command Prompt.
- Run the following command:
gpupdate /forceto ensure the latest policy is applied. - Restart the computer to refresh the WHfB settings.
- After the restart, check if the Sign-In options are available for users to re-enroll in WHfB.
Option 5: Default behavior and availability
The temporary lockout and greyed-out Sign-In options during a PIN failure are default behaviors designed for security purposes.
These measures protect against unauthorized access and brute-force attacks.
After a certain period or successful sync with the domain controller, the lockout is lifted, and users regain access to the Sign-In options.
Hope something helps!
![[Latest Windows 11 Update] What’s new in KB5036980?](https://www.kapilarya.com/assets/Windows11-Update.png "[Latest Windows 11 Update] What’s new in KB5036980?")
![[Latest Windows 10 Update] What’s new in KB5036979?](https://www.kapilarya.com/assets/Windows10-Update.png "[Latest Windows 10 Update] What’s new in KB5036979?")
Leave a Reply