Win 10 Security Baseline: Issue with WHFB

Hi heinzelrumpel​ , the log/message pattern you describe is usually caused by policy conflicts around Windows Hello for Business/Biometrics, and the Windows security baseline can definitely be the “second chef in the kitchen” even if you mainly deploy WHfB via GPO.

In the Windows (10) Security Baseline, the main WHfB-related settings to double-check are typically:

• Enhanced anti-spoofing / anti-spoofing for facial recognition
  If enabled, some cameras/drivers don’t support it properly and face sign-in can start failing.
• Allow biometrics / Allow users to log on using biometrics
  If baseline disables or tightens biometrics, fingerprint/face can behave inconsistently.
• (If present) Multi-factor unlock / Require additional factors
  This can explain the “face/fingerprint + PIN” behavior for that user.

Quick next steps:

1. On an affected device inside vs outside, run gpresult /h report.html and compare.
2. Check Intune Devices > Enrollment > Windows Hello for Business (avoid having WHfB configured in two places).
3. Pilot test: set the baseline WHfB/biometric items to Not configured for a small group, sync, re-enroll face/fingerprint.

If you paste which baseline version and the exact WHfB/biometric toggles you see in that baseline page, I can point to the most likely culprit in your tenant.