Unable to setup Windows Hello for Business
When registering Windows Hello, you may encounter the error 0x80090010 which corresponds to NTE_PERM on the Microsoft doc page(https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation).
The problem is indicated on the Windows Release Health page on https://admin.cloud.microsoft/?#/windowsreleasehealth/knownissues/:/issue/WI1121302
The contents are shown below:
Windows Hello PIN setup might fail with error code 0x80090010
WI1121302, Windows 11, version 24H2
Last updated: Jul 24, 2025, 11:00 PM GMT+2
Originating time: Jun 10, 2025, 7:00 PM GMT+2
Status
Confirmed
User impact
This issue affects enterprise devices managed by Microsoft Intune or Azure AD, disrupting authentication and deployment.
Are you experiencing this issue?
Is this post helpful?
Latest message View history
Following the installation of the June 2025 Windows security update (KB5060842) or later updates, you might encounter issues with Windows Hello PIN setup on Microsoft Entra joined devices [link]. You might observe issues such as PIN setup failing with error code 0x80090010 [link] (NTE_PERM) and the message ‘Your PIN could not be set up’, the PIN setup window closing unexpectedly or being unable to reset your PIN. This issue particularly affects Windows 11 devices that are installed through Intune [link].
This issue is only known to occur when the UsePassportForWork policy setting is configured at the scope level to the User: User/{TenantId}/Policies/UsePassportForWork [link].
The issue is not present for deployments that configure the UsePassportForWork policy setting at the scope level to the Device: Device/{TenantId}/Policies/UsePassportForWork [link].
Resulting from this issue, the application event log in Event Viewer might show an application error with Event ID 7703 indicating ‘Windows Hello for Business policy is disabled, causing operation failure’ or Event ID 7055 indicating ‘Windows Hello container provisioning failed with error 0x80090010’. This issue has been reported with the following Windows updates:
- KB5060842: June 10, 2025, Windows security update
- KB5063060: June 11, 2025, Windows Out-of-band update
KB5062553: July 8, 2025, Windows security update
Workaround: IT administrators can temporarily mitigate this issue by enabling the UsePassportForWork policy setting at the "Device" scope (Device/{TenantId}/Policies/UsePassportForWork [link]) to enable Windows Hello for Business at the device level.
Next Steps: We are investigating this issue and will provide more information when it is available.
Affected platforms:
- Client: Windows 11, version 24H2
- Server: None
In summary, setting a Windows Hello PIN may fail with error 0x80090010 on Windows 11 24H2 devices joined to Entra and deployed via Intune. The issue only occurs when the UsePassportForWork policy is set at the User level (in Intune Configuration policies or Endpoint Security > Account Protection) and not at the Device level in Intune (in the Intune Enrollment section).
Windows updates
As mentioned, updates KB5060842, KB5063060 and KB5062553 are causing problems. It may be tempting to uninstall them, but as they are security updates, I wouldn't recommend it.
The September 2025 update doesn't correct the problem either.
You'll have to use the solution presented in the rest of this article.
Fix
As a first step, it is recommended to remove your PCs from the Windows Hello policies in Intune. It may be necessary to wait several hours or to force synchronization, followed by a restart.
Then, create a file Fix-WindowsHello.reg with the following content:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork]
"UsePassportForWork"=dword:00000001
"Enabled"=dword:00000001Run the .reg file to add these values to your PC, which requires local administrator rights.
After a restart, you'll be able to configure Windows Hello again.
Comments