Windows Hello For Business: creating PIN does not work anymore (0x80090010 NTE_PERM)

[email protected]

Title: Troubleshooting PIN Enrollment Failures in Windows Hello for Business: Addressing Error 0x80090010 (NTE_PERM)

Introduction

Windows Hello for Business (WHFB) offers a seamless biometric and PIN authentication experience, enhancing security and usability for Windows devices. However, administrators and end-users can encounter issues during PIN setup, particularly after system updates or device reconfigurations. One common error is the 0x80090010 (NTE_PERM), often linked to Trusted Platform Module (TPM) readiness or configuration issues. This article explores a real-world troubleshooting scenario, identifies potential causes, and provides best practices for resolving such PIN enrollment errors.

Scenario Overview

The user’s device was hybrid Azure AD joined and also registered in Entra ID, leading to conflicting device entries. When checking device registration status using dsregcmd /status, the system indicated the device hostname was already in use, which prevented proper policy application via Intune. The resolution involved removing the device entry from on-premises Active Directory (AD), AutoPilot, and Entra ID, before re-adding it. However, upon attempting to reset the PIN with dsregcmd /forcerecovery, the process failed with error 0x80090010 (NTE_PERM)—commonly associated with TPM readiness or permissions issues.

Troubleshooting Steps Undertaken

  1. Certificate Store Cleanup
    The administrator attempted to clear the Windows Hello for Business container from the certificate store using certutil -deleteHelloContainer. No container was found, indicating no lingering certs. The user also checked the user certificate store, but the Windows Hello for Business hardware wallet (whfb) certificates were absent.

  2. TPM Reset and Reinitialization
    Clearing the TPM to address potential cryptographic issues was performed. After rebooting, the user successfully re-enrolled for PIN, but the error recurred during subsequent PIN setup attempts.

  3. Removing Cached Data
    The NGC (NVIDIA Group Cache or NGC folder) folder, which stores cached biometric data, was deleted to prevent corruption. This did not resolve the issue.

  4. Administrative Intervention
    A colleague removed the user’s enrolled hardware-based authentication methods from Entra ID. Despite this, the PIN enrollment problem persisted.

Additional Observations

Despite these setbacks, other Windows Hello for Business methods (such as biometric authentication) continued to function correctly. This suggests that certain WH

Share this content:

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *