daniilvolkov - stock.adobe.com

Tip

A complete guide to troubleshooting Windows Hello

Windows Hello has several common issues that administrators may need to troubleshoot. Find out what those issues are here and what to do about them.

Passwords are a very common authentication method that have numerous flaws, and Windows Hello's access control features can help organizations work around the weakness of passwords for Windows 10 desktop authentication.

In recent years, biometric authentication on devices has become increasingly popular. These components are built into the hardware and detect biologic signatures such as facial recognition, fingerprint scanning and iris scans.

The Microsoft Windows Hello program, native to Windows 10, enables and manages these options to make life easier. Microsoft is working with hardware manufacturers to reduce false positive rates and prevent spoofing. Now, Windows Hello is even able to tell if the image being input is 'living,' meaning Windows Hello won't accept a printed or digital photo for facial recognition.

The Microsoft Surface Pro, Surface Book and Windows 10 PCs have fingerprint scanners and cameras built in; plus, they are compatible with Windows Hello. In addition, there are third-party products that add Windows Hello to older Windows 10 devices which may not have the latest hardware support.

Enabling Windows Hello

To enable Windows Hello, go to Start > Settings > Accounts > Sign-in Options and select the desired option (Figure 1). Administrators can also configure additional options for privacy, such as locking the device and requiring sign-in after period of time. These additional security options are available, but they are not set by default.

Windows Hello Sign-in Options
The sign-in options within the Windows Hello settings

9 common Windows Hello issues to troubleshoot

While Windows Hello and biometric authentication is usually beneficial for users and system administrators, it does occasionally cause problems that admins must resolve.

Here are the most common causes of Windows Hello issues and how to troubleshoot and resolve them.

  1. Windows Hello Not Configured

This error is typically caused by some misconfiguration. Go to Start > Settings > Accounts > Sign-in Options and make sure they select and configure the right option (Figure 1). If it is configured, try number eight on this list.

  1. Fast Startup issues

This is a feature enabled in Windows Power Options that is easy to check. In some cases, Fast Startup has caused Windows Hello failures. Search for Power Options in the Windows search bar, then choose the power buttons. Click on settings that are currently unavailable and uncheck the box for Fast Startup under shutdown settings.

  1. Trusted Platform Module (TPM) not configured

This error is caused by TPM not working or administrators not enabling it. TPM is a security processor device from Intel that shows up in Device Manager (Figure 2).

TPM in the device manager
The Trusted Platform Module selected in the Device Manager utility

If it is missing, a software update or human error could have accidentally deleted it. To renew it, go to the Windows Search Bar and enter TPM.MSC.

Entering TPM in the search bar will open the Security Processor details where administrators can view TPM details, but TPM.MSC will provide more changeable options. In the TPM snap-in, go to Actions Pane and if Prepare the TPM is not greyed out, then the TPM is disabled. Click on it and then press Refresh(Figure 3).

TPM local management
The Trusted Platform Module window shows all relevant status info
  1. Errors due to a Windows update

A very common issue with Windows Hello failing and not allowing a user to authenticate is an error due to a Windows update. This is especially true of Windows update 2004, which broke all kinds of security features, including those associated with Windows Hello. Microsoft resolved those issues with later updates, so make sure devices are current on updates.

Devices such as cameras and fingerprint readers have continual driver updates just like Windows.
  1. Device drivers are incompatible

Devices such as cameras and fingerprint readers have continual driver updates just like Windows OSes. Contact their PC manufacturer to make sure the devices have the latest driver updates. Many manufacturers, such as HP, created driver updates to compensate for the Windows 2004 update errors. Go to Device Manager in Windows and locate the device. Drivers for cameras and other input devices will display.

There are tools such as DriverFix that automatically update outdated drivers on the entire PC. However, some administrators may not like relying on third-party tools to perform tasks under the covers. It's usually safest to simply follow each manufacturers' recommendations.

  1. Windows Hello Drivers may be out of date

The Windows Hello drivers receive updates via Windows updates, but there may be some changes that IT must make before Microsoft releases the cumulative updates. Also, just reinstalling the current update may correct the problem. Go to Device Manager - Biometric Devices (Figure 4). In this example, a facial recognition driver is present. To update it, follow the instructions noted in the next section on updating drivers.

Windows Hello driver
The Windows Hello driver in the Device Manager window

If the driver was not updated or the update did not fix the problem, uninstall and reinstall the driver.

  1. Updating and reinstalling drivers

The Device Manager provides a way to update, disable and uninstall drivers. Windows 10 lists the Windows Hello driver under Biometric Devices. However, this may vary from one PC to the next, and the Device Manager lists other device drivers such as cameras as well. If a device is not showing up, select Scan for Hardware Changes from the Action menu at the top of the Device Manager snap-in to have Windows detect it. If detection fails, check the device installation.

Update Drivers

  • Right-click on the driver in Device Manager and select Update.

Select Search Automatically for updated driver software (Figure 5). Windows will search the PC and the internet for an updated driver and will install the driver that it -- hopefully -- finds.

Different manufacturers may have different processes and tools to update their drivers. Windows will also provide the version number of the latest driver. This is a good way to update the Windows drivers, but go to the device manufacturer for other drivers for devices.

Reinstalling Windows Hello driver
A dialogue box displays the option to automatically search for the driver or input it manually

Uninstall and reinstall Drivers

  • Go to Device Manager, right-click on the driver and click uninstall device. This will remove the device from the device manager, so make sure this is the best option before performing this task.
  • In Device Manager, click on the Action menu at the top and select scan for hardware changes. The device should again show up with the same driver as before.
  1. Facial or Fingerprint Recognition not working

This is another common problem for Windows Hello, and the culprit is typically human error. The usual cause of this error is that the user tries to log in with Hello using a face or fingerprint but gets prompted to enter a PIN to log in. If the user tries to set up the face or fingerprint scan again, the desktop will send an error message such as "That Fingerprint has already been set up on another account. Try a different finger."

It's typically caused by the user registering a fingerprint for an account on Windows 10, then using the same finger for another account. This can occur even if the user deletes one account and creates a new one. It can also occur if administrators restore a backup image. The fix for this is pretty simple:

  • In the Windows Search bar, search for Services.
  • In the Services Snap-in, right-click on the Windows Biometric Service and select Stop (Figure 6).
Windows Biometric service
A services window with the Windows Biometric Service selected
  • In File Explorer, browse to \Windows\System32\WinBioDatabase and delete all files (.DAT). Admins may need to take ownership of this file to delete it.
  • In the Services Snap-in, start the Windows Biometric Service.
  • Register the fingerprints again.
  1. Check manufacturer's database for updates for biometrics

Manufacturers such as HP and Acer offer documentation for fixing common problems with their facial recognition and other biometric authentication methods.

Dig Deeper on Windows OS and management