Windows Hello for Business biometric configuration profile deployment blocked by local security policy overrides
Hey there, we pushed an Intune device configuration to enable Windows Hello fingerprint authentication across all compatible field laptops. The configuration dashboard reports success, but users find the biometric settings toggles completely locked out inside their local interface panels. What local registry flags take precedence?
1 answer
-
Hi Oliver Harris,
The UI lockout you are experiencing is expected behavior for a managed device, as Intune enforces policy by taking control of the Windows Hello for Business registry settings at
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork. To resolve this, ensure the "Use biometrics" setting is explicitly enabled within your Intune configuration profile, as a missing or misconfigured sub-setting can prevent the biometric hardware from being authorized. Because Intune acts as the authoritative source, local registry edits will be overwritten; therefore, you must apply changes directly in the Intune portal and trigger a manual sync on the client devices to enforce the correct state.Domic