Share via

Windows Hello for Business – Biometric requires PIN after success (Hybrid + Intune)

Sachin Ameta 25 Reputation points
2025-08-25T08:20:08.2233333+00:00

We are deploying Windows Hello for Business (WHfB) in a hybrid Azure AD joined environment, managed via Intune Account Protection policies. Our requirement is: fingerprint/face should unlock the device directly, and PIN should only be required if biometrics fail.

✅ What we have done:

  • Configured Intune policy: WHfB enabled, unlock factors = PIN + Fingerprint + Face, biometrics enabled, PIN recovery enabled.

Domain Controllers have valid KDC Authentication certs.

AAD Connect is syncing msDS-KeyCredentialLink.

Registry on client confirms DeviceUnlockFactors = 7.

⚠️ Current behavior:

Fingerprint/Face scan succeeds,

But Windows still prompts: “Your organization requires one more step” → asks for PIN (every unlock, not just after reboot).

Event Viewer shows:

Event ID 5002: Invalid / No Bio

  **Event ID 3520**: *Attempting multi-factor unlock*

This indicates Windows is treating biometrics as insufficient and always forcing PIN + biometric.

❓ Question:

How can we configure WHfB in hybrid + Intune so that biometric success alone unlocks the device, with PIN required only as fallback? Is this a known limitation of hybrid WHfB, or is there an additional Intune/AD FS/Certificate configuration needed to allow biometric-only unlock?We are deploying Windows Hello for Business (WHfB) in a hybrid Azure AD joined environment, managed via Intune Account Protection policies. Our requirement is: fingerprint/face should unlock the device directly, and PIN should only be required if biometrics fail.

✅ What we have done:

Configured Intune policy: WHfB enabled, unlock factors = PIN + Fingerprint + Face, biometrics enabled, PIN recovery enabled.

Domain Controllers have valid KDC Authentication certs.

AAD Connect is syncing msDS-KeyCredentialLink.

Registry on client confirms DeviceUnlockFactors = 7.

⚠️ Current behavior:

Fingerprint/Face scan succeeds,

But Windows still prompts: “Your organization requires one more step” → asks for PIN (every unlock, not just after reboot).

Event Viewer shows:

Event ID 5002: Invalid / No Bio

  **Event ID 3520**: *Attempting multi-factor unlock*

This indicates Windows is treating biometrics as insufficient and always forcing PIN + biometric.

❓ Question:

How can we configure WHfB in hybrid + Intune so that biometric success alone unlocks the device, with PIN required only as fallback? Is this a known limitation of hybrid WHfB, or is there an additional Intune/AD FS/Certificate configuration needed to allow biometric-only unlock?

Windows for business | Windows Server | Directory services | Deploy group policy objects
Answer accepted by question author
  1. Quinnie Quoc 7,550 Reputation points Independent Advisor
    2025-08-25T09:23:17.6333333+00:00

    Hi,

    Thank you for contacting us. Based on your configuration and observed behavior, it appears that Windows is enforcing multi-factor unlock even when biometric authentication succeeds, which is not aligned with your intended policy.

    This behavior is currently expected in hybrid WHfB deployments. In hybrid environments, Windows may treat biometric unlock as part of a multi-factor flow, especially when domain-joined trust models are used. The prompt “Your organization requires one more step” typically indicates that the system is enforcing PIN + biometric as a combined requirement, not fallback.

    To allow biometric-only unlock with PIN as fallback, the following should be considered:

    Ensure the trust model is key-based, not certificate-based, as certificate trust may enforce stricter unlock policies.

    Review Intune Account Protection policy to confirm that “Use biometrics” is enabled and “Require PIN for sign-in” is not enforced.

    Verify that AD FS or on-prem policies are not overriding unlock behavior.

    Consider transitioning to a cloud-only trust model, which offers more flexibility for biometric-first unlock scenarios.

    At this time, hybrid WHfB deployments may not fully support biometric-only unlock without PIN under all conditions. We recommend reviewing the latest WHfB documentation and monitoring for future updates that expand support.

    Please let us know if you'd like assistance reviewing your trust model or policy configuration.

    Best regards,

    Quinnie Quoc.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.