Search the Community

If you have a Windows Hello-compatible device with facial recognition, such as the Surface Pro 11 or a third-party webcam with an IR scanner, you might encounter a problem with biometric authentication after installing this month's security updates for Windows 11. In the support document for KB5055523, which was released on April 8, Microsoft acknowledged issues with Windows Hello. According to Microsoft, Windows Hello facial recognition or PIN stops working after performing a system reset while keeping local files. Once back at the login screen, affected systems show an error message claiming the user's PIN is not available or "something went wrong with face setup." Here is the full description: It is worth noting that the problem does not affect all users resetting their computers. Microsoft says the issue is only observed if System Guard Secure Launch or Dynamic Root of Trust for Measurement (DRTM) was enabled after installing the April 2025 security update for Windows 11 version 24H2. It also does not affect systems with Windows 11 version 23H2 or older. Fortunately, bypassing this problem is easy. Just follow the on-screen instructions to re-enable your PIN, and then set up facial recognition once again from the Settings app. Speaking of other bugs, Microsoft recently acknowledged a Windows Update error on Windows 10 systems. That bug has a very simple solution: just ignore it, and it will go away. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357 RIP Matrix | Farewell my friend

Microsoft says some Windows users might be unable to log into their accounts via Windows Hello after installing the April 2025 security updates. This known issue impacts both client (Windows 11 24H2) and server (Windows Server 2025) platforms with the KB5055523 cumulative update installed, although only in some specific scenarios. According to Redmond, devices impacted by these Windows Hello authentication issues include those with the Dynamic Root of Trust for Measurement (DRTM) or System Guard Secure Launch features enabled before deploying the KB5055523 update. "We're aware of an edge case of Windows Hello issue affecting devices with specific security features enabled. After installing this update and performing a Push button reset or Reset this PC from Settings > System > Recovery and selecting Keep my Files and Local install, some users might be unable to login to their Windows services using Windows Hello facial recognition or PIN," Microsoft explains. "Users might observe a Windows Hello Message saying 'Something happened and your PIN isn't available. Click to set up your PIN again' or 'Sorry something went wrong with face setup'." Until a permanent fix is available, the company also provides the following workarounds for affected Windows users: To log in using PIN, follow the Set my PIN prompt on the logon screen to re-enroll into Windows Hello. To use Face Logon, re-enroll in Windows Hello Facial Recognition by going to Settings > Accounts > Sign-in options > Facial recognition (Windows Hello) and selecting Set up. Next, follow the on-screen instructions. On Tuesday, Microsoft fixed another KB5055523 bug that caused authentication issues when Credential Guard was enabled on systems using the Kerberos PKINIT pre-auth security protocol. Earlier this week, Redmond also introduced a new Windows 11 24H2 safeguard hold for systems with SenseShield Technology's sprotect.sys driver (used by security or enterprise software) because of incompatibility issues that trigger blue or black screen of death (BSOD) errors. Other upgrade blocks prompted by incompatible software or hardware have also been applied to Windows devices with Dirac audio improvement software, integrated cameras, or the Easy Anti-Cheat and Safe Exam Browser apps. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357 RIP Matrix | Farewell my friend

Windows 11 includes an option to replace password authentication for the Windows Hello experience only, and here's how to set it up. On Windows 11, the system offers the ability to remove the password from your computer, but this doesn't mean your device will no longer require a form of authentication to access your account. Although the operating system offers a passwordless experience to access your computer, the feature only removes the password methods and replaces it with the Windows Hello feature so you can sign in to your account using Face, Fingerprint, or PIN, which are more secure than passwords. If you want to enable this feature, Windows 11 offers two ways, including using the Settings app, or you can also modify the Registry. In this how-to guide, I will outline the different methods to remove the password experience on Windows 11 while keeping your account secure behind the Windows Hello feature. Warning: This is a friendly reminder that editing the Registry is risky, and if you do not complete the task correctly, it can cause irreversible damage to your installation. It is recommended that you of the device before proceeding. How to enable passwordless sign-in on Windows 11 On Windows 11, you have at least two ways to configure the passwordless feature on your computer, including using the Settings app or modifying the Registry. From the Settings app To ditch the password authentication method on Windows 11, use these steps: Open Settings. Click on Accounts. Click the Sign-in options page on the right side. Finding Sign-in options in Windows 11. (Image credit: Mauro Huculak) (Option 1) Turn on the "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device" toggle switch to enable the feature. Windows Hello sign-in settings. (Image credit: Mauro Huculak) (Option 2) Turn off the "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device" toggle switch to disable the feature. Once you complete the steps, the system will remove the ability to sign in with your account password, and instead, you will have to use one of the authentication methods that Windows Hello provides, including Face, Fingerprint, or PIN. From the Registry Editor To enable passwordless authentication on Windows 11, use these steps: Open Start. Search for regedit and click the top result to open the Registry Editor. Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device Right-click the DevicePasswordLessBuildVersion key and choose the Modify option. Change the value of the key from 0 to 2. Editing the Windows 11 registry to enable a passwordless sign-in. (Image credit: Mauro Huculak) Click the OK button. After you complete the steps, you will only be able to sign in to your computer account using the Windows Hello authentication. You may still need to restart the computer to apply the changes. If you want to undo the changes, you can use the same instructions mentioned above, but in step 5, change the value from 2 to 0. It's important to note that this option doesn't remove the password from your Microsoft account. It only turns off the use of a password on your Windows account on the local computer. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. 2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts RIP Matrix | Farewell my friend

Windows 11 is getting a sign-in and authentication overhaul, and it’s now in beta testing. Microsoft is modernizing how its Windows Hello authentication, which includes facial and fingerprint recognition, works in Windows 11. The revamp to the Windows Hello experience is now in beta testing with Windows Insiders, and includes visual changes, new iconography, and improvements to passkeys. Not only will this new UI appear on the Windows 11 login screen, but also when you’re using passkeys to sign into websites and apps. “We redesigned Windows security credential user experiences for passkey creating a cleaner experience that supports secured and quick authentication,” explains the Windows team. “Users will now be able to switch between authentication options and select passkey / devices more intuitively.” The new Windows Hello UI on the login screen of Windows 11. Image: Microsoft Microsoft currently supports passkeys in Windows 11, but the experience of using one from a mobile device involves scanning QR codes and an outdated UI. A new sign-in UI for passkeys and Microsoft account authentication will improve this greatly, as part of this Windows Hello UI overhaul. Microsoft has also built a new API for third-party password and passkey managers that can let developers plug directly into this modern Windows Hello experience. It will also allow Windows 11 users to use passkey from a mobile device to authenticate with apps and websites on a PC. This new passkeys experience will also support saving passkeys to third-party apps or syncing them to your Microsoft account. The new passkey sign-in process. Image: Microsoft Microsoft has started testing this new Windows Hello experience for the beta channel (23H2), and it should also appear in the dev channel (which is based on 24H2) once builds resume soon. I’d expect we’ll see this new Windows Hello UI appear for all Windows 11 users in the coming months. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. 2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts RIP Matrix | Farewell my friend

A security group hired by Microsoft to test its Windows Hello fingerprint authentication hardware and software has posted word they were able to bypass that technology on a number of laptops, including a Microsoft Surface product. The Blackwing Intelligence group revealed their findings in October as part of Microsoft's BlueHat security conference but only posted their results on their own site this week (via The Verge). The blog post, which has the catchy title "A Touch of Pwn", stated the group used the fingerprint sensors inside the Dell Inspiron 15 and the Lenovo ThinkPad T14 laptops, along with the Microsoft Surface Pro Type Cover with Fingerprint ID made for the Surface Pro 8 and X tablets. The specific fingerprint sensors were made by Goodix, Synaptics, and ELAN. All of the Windows Hello-supported fingerprint sensors that were tested used “match on chip” hardware, which means that the authentication is handled on the sensor itself which has its own microprocessor and storage. Blackwing stated: Blackwing used reverse engineering to find flaws in the fingerprint sensors and then created their own USB device that could perform a man-in-the-middle (MitM) attack. This device allowed them to bypass the fingerprint authentication hardware in those devices. The blog also pointed out that while Microsoft uses the Secure Device Connection Protocol (SDCP) "to provide a secure channel between the host and biometric devices" two of the three fingerprint sensors that were tested didn't even have SDCP enabled. Blackwell recommended that all fingerprint sensor companies not only enable SDCP on their products but also get a third-party company to make sure it works. It should be pointed out that bypassing these fingerprint hardware products took "approximately three months" of work by Blackwing, with a lot of effort, but the point is they were successful. It remains to be seen if Microsoft, or the fingerprint sensor companies, can use this research to fix these issues. Source

Microsoft is expanding support for passkeys in Windows 11 to make it more secure to log into websites and apps using biometric authentication. Passkeys are unique codes linked to specific devices such as computers, tablets, or smartphones. Using passkeys significantly reduces the risk of data breaches as they provide protection against phishing attacks that cannot steal them and gain unauthorized access. Passkeys offer a more secure and convenient alternative to passwords as they allow using personal identification numbers (PINs) or biometric authentication like fingerprints or facial recognition to log in to websites and applications. This eliminates the need to remember and manage multiple passwords, enhancing overall security and user experience. As Microsoft revealed, the Windows 11 Insider Preview Build 23486 release pushed to the Dev Channel has passwordless improvements allowing customers to sign into their accounts using passkeys and Windows Hello. "We are improving the passkey experience for Windows users. They can now go to any app or website that supports passkeys to create and sign in using passkeys with the Windows Hello native experience," Microsoft's Amanda Langowski and Brandon LeBlanc said. "Once a passkey is created, users can use Windows Hello (face, fingerprint, PIN) to sign in. In addition, users can use their phone to complete the application logon process." To use passkeys on your Windows device for website sign-ins, you have to go to passkey-enabled websites like bestbuy.com, ebay.com, or google.com, create a passkey by accessing from your account settings, and then sign out of your account and then sign back in using your newly created passkey. You can also manage your passkeys with the help of a new passkey management dialog integrated into the Windows settings by going to Settings > Accounts > Passkeys. You will see all passkeys saved on the Windows device, and you can search for and delete the ones you no longer use. Managing passkeys on Windows 11 (BleepingComputer) When testing the feature, BleepingComputer could use Windows 11 passkeys with Best Buy and Microsoft accounts when attempting to log in. However, while Google allowed for the creation of a passkey, it never prompted us to log in with a passkey when trying to sign into a Google account. Logging into BestBuy site with a passkey (BleepingComputer) In May, Google announced that it's rolling out support for passkeys for Google Accounts across all its services and platforms to allow users to sign into their accounts without entering a password or using 2-Step Verification (2SV). In May 2022, Microsoft and Apple also confirmed their commitment to passkeys, endorsing Web Authentication (WebAuthn) credentials (aka FIDO credentials). This has now become the standard approach for accessing accounts without requiring traditional passwords across platforms controlled by the three tech giants. "Passkeys will allow you to replace passwords when you sign into a web site or application that supports them," Langowski and LeBlanc said. "Passkeys represent a future where bad actors will have a much harder time stealing and using your credentials when signing into a web site or application. Passkeys are phish-resistant, recoverable, and faster for users." Source

Back in 2015, Microsoft introduced Windows Hello on Windows 10, a way to sign in to your Windows device without the need for passwords. Microsoft felt passwords were sometimes not the most secure and hence with Windows Hello, users could log in using fingerprint and facial recognition. The company also did away with passwords in 2021 and users no longer needed to access their Microsoft account (MSA). Today, in relation to Windows Hello, the company has announced that a new full-screen greeting will be displayed from now on. This notice will ask users whether they wish to continue using Windows Hello via facial recognition or fingerprint sensing. The prompt will also simultaneously inquire if users want to keep their fingerprint and face data on their PC. If a user chooses not to continue with Windows Hello, they will find an option to change their sign-in options and delete their data. In a support article announcing this new change, Microsoft has described it in detail. The company has also provided a screenshot of the full-screen notice that will greet users on both Windows 11 and Windows 10 respectively: Summary After signing in to your Windows device, you might receive a full-screen notice stating, “Choose if you want to keep signing in with your face or fingerprint.” It comes with the question, “Do you want to keep storing your face or fingerprint data on this PC?” To continue, you will need to select one of the two options available and then select Next: “Yes, sign in with my face or fingerprint. Keep storing my data so I can sign in to this PC with Windows Hello face or fingerprint recognition.” “No, change how I sign in. Take me to settings where I can remove sign-in options and delete my data.” Windows 11 Windows 10 Microsoft says this was introduced around a week ago on June 13, which seems to coincide with the recent Patch Tuesday updates on both Windows 10 (KB5027215) and Windows 11 (KB5027231). And in case you missed it, compatibility updates were released too on the same day. You may find more details on Microsoft's website in the knowledge base support article under KB5028763. Source

Hackers Got Past Windows Hello by Tricking a Webcam The security researchers used an infrared photos and third-party hardware to best Microsoft's facial recognition tech. Biometric authentication is a key piece of the tech industry's plans to make the world passwordless. But a new method for duping Microsoft's Windows Hello facial recognition system shows that a little hardware fiddling can trick the system into unlocking when it shouldn't. Services like Apple's FaceID have made facial recognition authentication more commonplace in recent years, with Windows Hello driving adoption even farther. Apple only lets you use FaceID with the cameras embedded in recent iPhones and iPads, and it's still not supported on Macs at all. But because Windows hardware is so diverse, Hello facial recognition works with an array of third-party webcams. Where some might see ease of adoption, though, researchers from the security firm CyberArk saw potential vulnerability. That's because you can't trust any old webcam to offer robust protections for how it collects and transmits data. Windows Hello facial recognition only works with webcams that have an infrared sensor in addition to the regular RGB sensor. But the system, it turns out, doesn't even look at RGB data. Which means that with one straight-on infrared image of a target's face and one black frame, the researchers found that they could unlock the victim's Windows Hello-protected device. By manipulating a USB webcam to deliver an attacker-chosen image, the researchers could trick Windows Hello into thinking the device owner’s face was present and unlocking. “We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.” Microsoft calls the finding a “Windows Hello Security Feature Bypass Vulnerability” and released patches on Tuesday to address the issue. In addition, the company suggests that users enable "Windows Hello Enhanced Sign-in Security,” which uses Microsoft's “Virtualization-based Security” to encrypt Windows Hello face data and process it in a protected area of memory where it can't be tampered with. The company did not respond to a request for comment from WIRED about the CyberArk findings. Tsarfati, who will present the findings next month at the Black Hat security conference in Las Vegas, says that the CyberArk team chose to look at Windows Hello's facial recognition authentication in particular because there has already been a lot of research industry-wide into PIN cracking and fingerprint-sensor spoofing. He adds that the team was drawn by the sizable Windows Hello user base. In May 2020 Microsoft said that the service had more than 150 million users. In December, the company added that 84.7 percent of Windows 10 users sign in with Windows Hello. While it sounds simple—show the system two photos and you're in—these Windows Hello bypasses wouldn't be easy to carry out in practice. The hack requires that attackers have a good quality infrared image of the target's face and physical access to their device. But the concept is significant as Microsoft continues to push Hello adoption with Windows 11. Hardware diversity among Windows devices and the sorry state of IoT security could combine to create other vulnerabilities in how Windows Hello accepts face data. “A really motivated attacker could do those things,” says Tsarfati. “Microsoft was great to work with and produced mitigations, but the deeper problem itself about trust between the computer and the camera stays there.” There are different ways to take and process images for facial recognition. Apple's FaceID, for example, only works with the company's proprietary TrueDepth camera arrays, an infrared camera combined with a number of other sensors. But Apple is in a position to control both hardware and software on its devices in a way that Microsoft is not for the Windows ecosystem. The Windows Hello Face setup information simply says “sign-in with your PC's infrared camera or an external infrared camera.” Marc Rogers, a longtime biometric sensor security researcher and vice president of cybersecurity at the digital identity management company Okta, says that Microsoft should make it very clear to users which third-party webcams are certified as offering robust protections for Windows Hello. Users can still decide whether they want to buy one of these products versus any old infrared webcam, but specific guidelines and recommendations would help people understand the options. The CyberArk research fits into a broader category of hacks known as “downgrade attacks,” in which a device is tricked into relying on a less secure mode—like a malicious cellphone tower that forces your phone to use 3G mobile data with its weaker defenses instead of 4G. An attack that gets Windows Hello to accept static, pre-recorded face data uses the same premise, and researchers have defeated Windows Hello's facial recognition before getting the system to accept photos using different techniques. Rogers says it's surprising that Microsoft didn't anticipate the possibility of attacks against third-party cameras like the one CyberArk devised. “Really Microsoft should know better,” he says. “This attack pathway in general is one that we have known for a long time. I’m a bit disappointed that they aren’t more strict about what cameras they will trust.” Hackers Got Past Windows Hello by Tricking a Webcam (May require free registration to view)