Fixing the Frustrating Windows Hello PIN Error 0x80090010 on Intune-Managed Devices

If you’re managing Windows 11 24H2 devices with Intune and users suddenly can’t set up their Windows Hello PINs, you’re not alone. A known issue affecting Entra-joined devices is causing PIN setup to fail with error code 0x80090010 (NTE_PERM), leaving users locked out of this convenient authentication method.

What’s Causing This Problem?

Microsoft confirmed this issue affects devices running Windows 11 version 24H2 that received certain security updates starting in June 2025:

• KB5060842 (June 10, 2025)

• KB5063060 (June 11, 2025)

• KB5062553 (July 8, 2025)

The root cause? The UsePassportForWork policy configured at the user level instead of the device level. When this policy is set to User/{TenantId}/Policies/UsePassportForWork, PIN setup fails. But when it’s configured at Device/{TenantId}/Policies/UsePassportForWork, everything works fine.

Symptoms You’ll See

Users experience:

• PIN setup failing with “Your PIN could not be set up”

• The PIN setup window closing unexpectedly

• Inability to reset existing PINs

• Event ID 7703: “Windows Hello for Business policy is disabled”

• Event ID 7055: “Windows Hello container provisioning failed with error 0x80090010”

The Official Workaround

Microsoft recommends moving your UsePassportForWork policy from user-level to device-level configuration. In Intune, this means:

Instead of: Configuration policies (user-targeted)
Use: Endpoint Security → Account Protection (device-targeted)

But if you need a quicker fix or can’t easily change your policy targeting, there’s a registry solution.

Registry Fix That Actually Works

Here’s a step-by-step fix you can deploy via Intune or run manually:

1. Remove affected devices from existing Windows Hello policies in Intune

2. Wait a few hours or force sync and restart devices

3. Create a registry file called Fix-WindowsHello.reg with this content:

4. Run the registry file with admin rights

5. Restart the device

6. Test PIN setup – it should work normally

Don’t Skip Those Security Updates

While it’s tempting to uninstall the problematic updates, they contain important security fixes. The September 2025 update doesn’t resolve the issue either, so the registry fix remains your best option until Microsoft releases a proper solution.

Prevention for Future Deployments

To avoid this issue on new devices:

• Configure Windows Hello policies at the device level in Intune’s Endpoint Security section

• Avoid user-level targeting for UsePassportForWork policies

• Test authentication setup on a small group before broad deployment

What’s Next?

Microsoft is investigating the issue but hasn’t provided a timeline for a permanent fix. Until then, the registry workaround gets your users back to secure PIN-based sign-ins without compromising security update installations.

This issue highlights the importance of testing policy configurations across different scopes in Intune. A simple change from user-level to device-level targeting can save hours of troubleshooting and frustrated users.