Sometimes users need to have their Windows Hello for Business container reset. This can happen for a myriad of reasons:
- Biometrics stopped working
- “Something went wrong” errors during sign-in that won’t resolve
- Trust relationship between the credential and Microsoft Entra ID broke
- User suspects their PIN was observed or compromised
- Device was lost briefly and recovered — user wants to re-key
For this support request, you can easily push a small script using Intune’s on-demand remediation feature (preview). All it does is use certutil to delete the Windows Hello container and return the exit code.
If the container has been successfully deleted, the user will be prompted to set up Windows Hello for Business after the next sign-out and sign-in, or after a restart.
⚠️ Warning: The
certutil -DeleteHelloContainercommand removes all credentials stored in the Windows Hello container, including any WebAuthn and FIDO2 passkeys. Users will need to re-register any passkeys after re-enrolling.
The Script#
📜 View full script
<#
.SYNOPSIS
Deletes the Windows Hello container for the current user.
.DESCRIPTION
Runs certutil -deleteHelloContainer to remove the Windows Hello for Business container.
Must be run in the logged-on user's context.
Exit codes:
- 0: Windows Hello container deleted successfully
- 1: Failed to delete Windows Hello container
.NOTES
Author: Simon Pauly Kofoed Mose
Blog: https://paulycloud.com
Version: 1.0 - Initial release
#>
$result = certutil -deleteHelloContainer 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host "COMPLIANT | Hello Container: Deleted | User: $env:USERNAME"
exit 0
} else {
Write-Host "NON-COMPLIANT | Hello Container: Failed to delete | User: $env:USERNAME | Exit Code: $LASTEXITCODE"
exit 1
}How to Deploy#
This uses the on-demand remediation feature (preview) in Intune. Upload the script as a detection script in a script package — no remediation script is needed, since the detection script itself performs the action.
- Navigate to Devices > Manage devices > Scripts and remediations
- Create a new script package
- Upload the script above as the detection script
- Configure it to:
- Run this script using the logged-on credentials — Yes
- Run script in 64-bit PowerShell — Yes
- Do not assign the script package to any group
- To initiate the reset: navigate to the target device and select Run remediation (preview)
Important Notes#
- The script must run as the local logged-in user — if deployed as SYSTEM, it will fail silently and report false results
- The user must sign out and sign back in (or restart) after the container is deleted to be prompted for re-enrollment
- The script does not alert the user or force a reboot of the device — communicate this to the user separately
- All credentials in the Hello container are removed, including FIDO2/WebAuthn passkeys