Client devices randomly unenroll from Windows Hello for Business

mx flag

I have followed the Deployment Guide found here: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment

We're able to set up fingerprint and facial recognition for the users and computers that are in the appropriate security groups, and when the screen is locked, the biometrics will unlock the computer. But after a few minutes (maybe 15 minutes, maybe an hour), Hello reverts back to an unenrolled state. No PIN, no fingerprints, no faces registered.

I've looked through the logs on the AD FS server, the CA server, and the client devices themselves, and I have no idea why the credentials are being deleted.

Anyone have any ideas on where to look?

Massimo avatar
ng flag
15 minutes sounds suspiciously like a Group Policy refresh time...
mx flag
I've checked, and the policy is still in effect.
bjoster avatar
cn flag
Check exactly what the GPO is doing. "15 minutes" is the refresh tiem, as @massimo said. Maybe it is re-setting your profile?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.