The FSSO, polling or collector mode will relay on login events on the AD/DC. If there is no event created than there is no FSSO session. You could try to use FSSOMA in your network or disable the use of Windows hello for domain PCs.

@CyberUser 
I see this is an old topic, but we currently have the same issue. After logging in using Windows Hello for Business, there is no FSSO session. Usually, a quick workaround is to lock and unlock the screen also using Windows Hello, which then creates a session on the firewall. We have a hybrid environment with cloud Kerberos trust, and based on my experience, Windows Hello and FSSO do not work together very well.

I haven’t confirmed this with Microsoft yet, but in our case, having a hybrid environment and logging in on-premise, it seems that if you're using cloud Kerberos trust and the PC is blocked from the internet (because there is no FSSO session), the Windows Hello for Business sign-in may fail. I have frequently encountered errors such as: "PIN isn't available: 0xc000005e 0x0."

In a hybrid environment using cloud Kerberos trust (documentation), the sign-in process requires a round trip from the user’s machine to Microsoft Entra, and this trip cannot complete because there is no session on the firewall. This last issue can be resolved by creating a firewall policy based on the users' source IP addresses, while using the endpoint addresses utilised by Entra ID as the destination.

While this partially resolves the problem, I haven't found a solution for FSSO aside from locking and unlocking the screen, so additional infrastructure, as mentioned by @ebilcari , may be necessary.