Forum Discussion
Win 10 Security Baseline: Issue with WHFB
Hi,
I activated the Intune Win 10 security baseline on a set of devices. I know experience an issue with WHfB. My face and fingerprint is not recognized, rsp. the login process is giving an error, saying that I cannot be identified. One user reports, that when away from company WhfB works as expected, asking for face or fingerprint and as second factor a PIN. I have another policy in Intune that is giving MDM policies precedence over GPO, so I cannot understand why it works for that one user when outside of company.
What settings in MDM security Baseline could possibly be the cause resp. be responsible for broken WHfB?
5 Replies
Hi heinzelrumpel , the log/message pattern you describe is usually caused by policy conflicts around Windows Hello for Business/Biometrics, and the Windows security baseline can definitely be the “second chef in the kitchen” even if you mainly deploy WHfB via GPO.
In the Windows (10) Security Baseline, the main WHfB-related settings to double-check are typically:
- Enhanced anti-spoofing / anti-spoofing for facial recognition
If enabled, some cameras/drivers don’t support it properly and face sign-in can start failing. - Allow biometrics / Allow users to log on using biometrics
If baseline disables or tightens biometrics, fingerprint/face can behave inconsistently. - (If present) Multi-factor unlock / Require additional factors
This can explain the “face/fingerprint + PIN” behavior for that user.
Quick next steps:
- On an affected device inside vs outside, run gpresult /h report.html and compare.
- Check Intune Devices > Enrollment > Windows Hello for Business (avoid having WHfB configured in two places).
- Pilot test: set the baseline WHfB/biometric items to Not configured for a small group, sync, re-enroll face/fingerprint.
If you paste which baseline version and the exact WHfB/biometric toggles you see in that baseline page, I can point to the most likely culprit in your tenant.
- Enhanced anti-spoofing / anti-spoofing for facial recognition
did the WHfB worked before Baseline deployment?
It could be due conflincting GPO even you set the "MDM policies precedence over GPO", why -> If a GPO and MDM-CSP conflict occurs in a setting, the current GP value saved before the CSP was apllyed takes precedence.
Good luck!
Yes, it worked before. I use the default settings in the Security Baseline and WHFB is deployed via GPO. So what are the settings in the baseline that possibly conflict with GPO? I am not able to spot any when walking through the categories
Hi,
sorry for the late response.
You're likely using the 24H2 Security Baseline.
Check specifically under Windows Hello for Business Settings > Facial Features > Use enhanced anti-spoofing. This is the primary WHfB-related setting in the baseline; investigate how this option interacts with your GPO deployment.
Check the Intune | Devices | Enrollment | Windows Hello for Business settings to see if they're enabled and causing a scope or configuration mismatch with your on-premises GPO.
Use gpresult /h report.html on affected devices and compare registry keys (e.g., PassportForWork\Enabled) against baseline defaults; clear GPO links temporarily to test on one device in order for you to better understend where the mismatch ist.
Good luck!
