WHfB prompting for password at first login

Hi All,

I can't seem to get these Intune policies correct for WHfB (Windows Hello for Business)

I want WHfB active using a pin for a customer. I have a test VM setup and registered with WHfB correctly. When you first power on the machine and login, there is no prompt for a pin, only the M365 password. Once logged in, I can lock, or log off and I am prompted with the PIN login. I restart the VM and I am pack to having to use a password for the initial login.

I have WHfB setup in the following areas

• Endpoint security | Account protection (Assigned to All devices and All users)
  • Use Windows Hello for Business (Device) - True
  • Use Windows Hello for Business (User) - True (tried without this first)
  • Minimum PIN length - 6
• Devices | Enrollment
  • Configure Windows Hello for Business - Enabled
  • TPM - Preferred
  • Minimum PIN length - 6
  • Allow biometric - Yes
  • Allow phone sign-in - Yes
• Devices | Configuration (assigned to All users & All devices)
  • Turn on convenience PIN sign-in - Enabled
  • Minimum PIN Length (User) - 6
  • Use Windows Hello For Business (User) - True
  • Use Remote Passport - Enabled
  • Allow Use of Biometrics - True

I know there is quite some double up having this configured at all possible levels. I started with Device enrollment and a configuration profile, and then moved to Account protection.

I'm currently going round in circles trying to work out why the initial login isn't prompting for a PIN.

(I also built a new VM and it's doing the same thing). Although, first reboot it worked fine from memory.

Thanks in advance Guru's